Analytics Story: Windows System Binary Proxy Execution MSIExec

Date: 2022-06-16 ID: bea2e16b-4599-46ad-a95b-116078726c68 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).

Why it matters

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows HTTP Network Communication From MSIExec	Msiexec	Anomaly
Windows MSIExec DLLRegisterServer	Msiexec	TTP
Windows MSIExec Remote Download	Msiexec	TTP
Windows MSIExec Spawn Discovery Command	Msiexec	TTP
Windows MSIExec Unregister DLLRegisterServer	Msiexec	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 3	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

https://attack.mitre.org/techniques/T1218/007/

Source: GitHub | Version: 1