LoFP / false positives may be present, filter by destination or parent process as needed.

Techniques

• T1218.007

Sample rules

Windows MSIExec Remote Download

• source: splunk
• technicques:
  • T1218.007

Description

The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN ("*http://*", "*https://*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_msiexec_remote_download_filter`