false positives will be present with msiexec spawning cmd or powershell. filtering will be needed. in addition, add other known discovery processes to enhance query.

t1218.007
endpoint
splunk

Techniques

T1218.007

Sample rules

Windows MSIExec Spawn Discovery Command

source: splunk
technicques:
- T1218.007

Description

The following analytic identifies MSIExec spawning multiple discovery commands, including spawning Cmd.exe or PowerShell.exe. Typically, child processes are not common from MSIExec other than MSIExec spawning itself.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name IN ("powershell.exe","cmd.exe", "nltest.exe","ipconfig.exe","systeminfo.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_msiexec_spawn_discovery_command_filter`