false positives might still be present, depending on the installer. filter as needed.

Techniques

T1218.007

Sample rules

Windows MSIExec Spawn Discovery Command

source: splunk
technicques:
- T1218.007

Description

The following analytic detects MSIExec spawning multiple discovery commands. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Endpoint.Processes WHERE

Processes.parent_process_name=msiexec.exe

(
    Processes.process_name IN (
        "arp.exe"
        "dsget.exe",
        "hostname.exe",
        "ipconfig.exe",
        "nbtstat.exe",
        "netdom.exe",
        "nltest.exe",
        "ntdsutil.exe",
        "qprocess.exe",
        "qwinsta.exe",
        "systeminfo.exe"
        "wmic.exe"
    )
    OR
    (
        Processes.process_name IN (
            "bash.exe",
            "cmd.exe",
            "powershell.exe",
            "powershell_ise.exe",
            "pwsh.exe"
        )

        (
            Processes.process IN (
                "*arp *",
                "*dsget*",
                "*hostname*",
                "*ipconfig*",
                "*nbtstat*",
                "*netdom*",
                "*nltest*",
                "*ntdsutil*",
                "*qprocess *",
                "*qwinsta*",
                "*systeminfo*",
                "*wmic *"
            )
            OR
            (
                (
                    Processes.process IN (
                        "*net *",
                        "*net.exe *",
                        "*net1*"
                        "*net1.exe*"
                    )
                    OR
                    Processes.process_name IN (
                        "net.exe",
                        "net1.exe"
                    )
                )
                Processes.process = "*view*"
            )
            OR
            (
                (
                    Processes.process IN (
                        "*reg *",
                        "*reg.exe *"
                        "*sc *",
                        "*sc.exe *",
                    )
                    OR
                    Processes.process_name IN (
                        "reg.exe",
                        "sc.exe"
                    )
                )
                Processes.process = "*query*"
                NOT Processes.process = "* /SC *"
            )
            OR
            (
                (
                    Processes.process IN (
                        "*query *",
                        "*query.exe*"
                    )
                    OR
                    Processes.process_name = "query.exe"
                )
                Processes.process IN (
                    "* process",
                    "* session",
                    "* user",
                )
            )
        )
    )
)
BY Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec
   Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id Processes.process_integrity_level
   Processes.process_name Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_msiexec_spawn_discovery_command_filter`