false positives will be present and filtering is required.

Techniques

T1218.007

Sample rules

Windows MSIExec With Network Connections

source: splunk
technicques:
- T1218.007

Description

The following analytic identifies MSIExec with any network connection over port 443 or 80. Typically, MSIExec does not perform network communication to the internet.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| join  process_id [
| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("80","443") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip 
| `drop_dm_object_name(All_Traffic)` ] 
| table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip 
| `windows_msiexec_with_network_connections_filter`