|
| 1 | +# Detect malicious use of Msiexec |
| 2 | + |
| 3 | +This query was originally published in the threat analytics report, *Msiexec abuse*. |
| 4 | + |
| 5 | +*[Msiexec.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/msiexec)* is a Windows component that installs files with the *.msi* extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. |
| 6 | + |
| 7 | +The following query detects activity associated with misuse of msiexec.exe, particularly alongside [mimikatz](https://www.varonis.com/blog/what-is-mimikatz/), a common credential dumper and privilege escalation tool. |
| 8 | + |
| 9 | +## Query |
| 10 | + |
| 11 | +```Kusto |
| 12 | +//Find possible download and execution using Msiexec |
| 13 | +DeviceProcessEvents |
| 14 | +| where Timestamp > ago(30d) |
| 15 | +//MSIExec |
| 16 | +| where FileName =~ "msiexec.exe" and |
| 17 | +//With domain in command line |
| 18 | +(ProcessCommandLine has "http" and ProcessCommandLine has "return")//Find PowerShell running files from the temp folder |
| 19 | +DeviceProcessEvents |
| 20 | +| where Timestamp > ago(30d) |
| 21 | +//Looking for PowerShell |
| 22 | +| where FileName =~ "powershell.exe" |
| 23 | +//Looking for %temp% in the command line indicating deployment |
| 24 | +and ProcessCommandLine contains "%temp%"//Find credential theft attempts using Msiexec to run Mimikatz commands |
| 25 | +DeviceProcessEvents |
| 26 | +| where Timestamp > ago(30d) |
| 27 | +| where InitiatingProcessFileName =~ "msiexec.exe" |
| 28 | +//Mimikatz commands |
| 29 | +and (ProcessCommandLine contains "privilege::" |
| 30 | +or ProcessCommandLine has "sekurlsa" |
| 31 | +or ProcessCommandLine contains "token::" |
| 32 | +``` |
| 33 | + |
| 34 | +## Category |
| 35 | + |
| 36 | +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. |
| 37 | + |
| 38 | +| Technique, tactic, or state | Covered? (v=yes) | Notes | |
| 39 | +|------------------------|----------|-------| |
| 40 | +| Initial access | | | |
| 41 | +| Execution | v | | |
| 42 | +| Persistence | | | |
| 43 | +| Privilege escalation | v | | |
| 44 | +| Defense evasion | | | |
| 45 | +| Credential Access | v | | |
| 46 | +| Discovery | | | |
| 47 | +| Lateral movement | | | |
| 48 | +| Collection | | | |
| 49 | +| Command and control | | | |
| 50 | +| Exfiltration | | | |
| 51 | +| Impact | | | |
| 52 | +| Vulnerability | | | |
| 53 | +| Misconfiguration | | | |
| 54 | +| Malware, component | | | |
| 55 | + |
| 56 | +## Contributor info |
| 57 | + |
| 58 | +**Contributor:** Microsoft Threat Protection team |
0 commit comments