Uncommon msiexec execution of an arbitrary file from a remote location

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

System Binary Proxy Execution: Msiexec (T1218.007)

Severity

Low

Description

Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.

Attacker's Goals

Evading security controls and executing arbitrary files from the web.

Investigative actions

  • Is the URL that is encoded in the command line trusted.
  • Is executed DLL or MSI file known as legitimate.
  • Is the initiating process legitimate and the user running it knows of its use.
    Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.

Variations

Suspicious msiexec execution on an internet-facing endpoint

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

System Binary Proxy Execution: Msiexec (T1218.007)

Severity

Low

Description

Suspicious msiexec execution of an arbitrary file from the web on an internet-facing server.

Attacker's Goals

Evading security controls and executing arbitrary files from the web.

Investigative actions

  • Is the URL that is encoded in the command line trusted.
  • Is executed DLL or MSI file known as legitimate.
  • Is the initiating process legitimate and the user running it knows of its use.
    Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.