Loading

Potential Remote Install via MsiExec

Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of malware.

Rule type: eql
Rule indices:

  • endgame-*
  • logs-crowdstrike.fdr*
  • logs-endpoint.events.process-*
  • logs-m365_defender.event-*
  • logs-sentinel_one_cloud_funnel.*
  • logs-system.security*
  • logs-windows.forwarded*
  • logs-windows.sysmon_operational-*
  • winlogbeat-*

Rule Severity: high
Risk Score: 73
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend
  • Data Source: Windows Security Event Logs
  • Data Source: Microsoft Defender XDR
  • Data Source: Sysmon
  • Data Source: SentinelOne
  • Data Source: Crowdstrike
  • Resources: Investigation Guide

Version: 5
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

  • What remote installer behavior is preserved in the alert?

    • Focus: process.command_line, process.parent.name, and process.parent.command_line, especially quiet install or patch switches, the remote MSI or TRANSFORMS= source, and HTTP, raw-IP, public-hosting, or recognized distribution sources.
    • Implication: escalate for quiet remote installs, remote MSTs, or patches from suspicious infrastructure under interactive or script-launcher parents; lower concern only when the command, source, and parent match one recurring deployment, repair, or onboarding pattern.

  • Is the msiexec binary identity expected for Windows Installer?

    • Focus: process.executable, process.pe.original_file_name, process.code_signature.subject_name, process.code_signature.trusted, and process.hash.sha256.
    • Implication: escalate faster when msiexec is renamed, unsigned, untrusted, newly seen, or in a user-writable path; trusted Microsoft identity only confirms the proxy binary, not the remote install.

  • Does the parent and ancestry explain why msiexec ran?

    • Focus: process.parent.executable, process.parent.command_line, process.Ext.ancestry, user.id, and the affected host.
    • Implication: escalate when browser-adjacent, script, shell, WMI, or unusual interactive ancestry invokes the remote package without a stable workflow; lower concern when the parent, user, and host pattern fits a recognized management or support path.

  • Do process events show payload execution after the installer starts?

    • Focus: child starts on the same host.id where process.parent.entity_id matches process.entity_id, checking child process.command_line, process.executable, and process.hash.sha256. $investigate_0
    • Hint: use host.id + process.pid + tight alert window only when entity linkage is unavailable, and treat the result as weaker.
    • Implication: escalate when msiexec spawns shells, script interpreters, LOLBins, scheduled-task tools, or user-space binaries tied to the remote package; lower concern when follow-on activity stays inside the same signed product install flow.

  • Does the remote source and workflow context fit one legitimate package path?

    • Focus: URL, host, package name, or remote TRANSFORMS= in process.command_line, plus process.parent.executable, user.id, and host.id context for that source.
    • Hint: if network or file telemetry exists, correlate destination or artifact evidence with host.id + process.entity_id; use host.id + process.pid + tight alert window only without entity linkage. Missing file or network telemetry is unresolved, not benign, and does not block escalation when process evidence is strong. $investigate_1
    • Implication: escalate when the source is raw IPs, public file hosting, look-alike vendors, temp/download staging, or infrastructure unrelated to the expected product; lower concern when source, launcher, user-host scope, and recovered corroboration fit one internal distribution point or vendor service.

  • Escalate on suspicious quiet-install intent, mismatched identity or lineage, unfit package source, or payload child execution; close only when process evidence and recovered corroboration align to one exact deployment, repair, or support workflow; preserve and escalate when evidence is mixed or visibility is incomplete. Use same-user or same-host related alerts after escalation only to size scope, not prove the local alert. $investigate_2 $investigate_3

  • First check whether http: or https: follows /i or /p directly (remote source -- investigate) or sits inside a PROPERTY= value while the MSI source is local or relative (configuration URL -- likely benign). The rule excludes local C:\ sources after /i; UNC, relative-path, or other local sources with property URLs need manual confirmation or customer-side exceptions.
  • Legitimate deployment, patching, or agent-repair workflows can use quiet remote msiexec. Confirm when process.command_line, process.parent.executable, user.id, and host.id align to one recurring product path. Do not close on a vendor-looking URL, signed msiexec, or familiar parent name alone.
  • Build exceptions from process.parent.executable, package source pattern in process.command_line, and stable host.id or user.id cohort. Avoid exceptions on msiexec, process.parent.name, domain suffix, or user.name alone.
  • If confirmed benign, reverse any temporary containment and record the installer command, remote package source, parent launcher, signer/hash identity, affected user.id, affected host.id, and any recovered destination or artifact pattern. Create an exception only after the same workflow recurs across prior alerts from this rule.
  • If suspicious but unconfirmed, preserve the alert record, process tree, process.entity_id values, installer command line, remote URL or TRANSFORMS= value, parent command line, child process records, and any recovered package, destination, or provenance artifacts before containment. Apply reversible controls only when command, parent, or child-process evidence suggests active delivery; otherwise keep evidence collection open rather than starting cleanup.
  • If confirmed malicious, preserve process identifiers, command lines, recovered packages, and destination indicators before isolating the host, terminating msiexec or follow-on payloads, blocking confirmed indicators, or removing staged installers, extracted payloads, persistence changes, or scheduled-task material tied to the chain.
  • Post-incident hardening: close the delivery path that introduced the remote package, restrict msiexec remote-install use to controlled deployment tooling where feasible, review hosts where installer-elevation policy would increase impact, and document adjacent variants such as remote TRANSFORMS= abuse or DLL registration through /y and /z.
process where host.os.type == "windows" and event.type == "start" and
  process.name : "msiexec.exe" and process.args : ("-i*", "/i*", "-p*", "/p*") and
  process.command_line : ("*http:*", "*https:*") and
  process.args : ("/qn", "-qn", "-q", "/q", "/quiet") and
  process.parent.name : (
    "sihost.exe", "explorer.exe", "cmd.exe", "wscript.exe", "mshta.exe",
    "powershell.exe", "wmiprvse.exe", "pcalua.exe", "forfiles.exe", "conhost.exe"
  ) and

  not process.command_line : (
        "*--set-server=*", "*UPGRADEADD=*" , "*--url=*", "*USESERVERCONFIG=*", "*RCTENTERPRISESERVER=*",
        "*app.ninjarmm.com*", "*zoom.us/client*", "*SUPPORTSERVERSTSURI=*", "*START_URL=*", "*AUTOCONFIG=*",
        "*awscli.amazonaws.com*", "*/i \"C:*", "*/i C:\\*"
  )

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK