some rare installers were seen communicating with external servers for additional information. while its a very rare occurrence in some environments an initial baseline might be required.

t1218
t1218.007
windows
sigma

Techniques

t1218
t1218.007

Sample rules

Msiexec.EXE Initiated Network Connection Over HTTP

source: sigma
technicques:
- t1218
- t1218.007

Description

Detects an initiated network connection by “Msiexec.exe” over port 80 or 443. Adversaries might abuse “msiexec.exe” to install and execute remotely hosted packages.

Detection logic

condition: selection
selection:
  DestinationPort:
  - 80
  - 443
  Image|endswith: \msiexec.exe
  Initiated: 'true'