Remote Management Access Launch After MSI Install

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Remote Management Access Launch After MSI Install

Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect. This behavior may indicate abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.

Rule type: eql

Rule indices:

endgame-*
logs-crowdstrike.fdr*
logs-endpoint.events.process-*
logs-m365_defender.event-*
logs-sentinel_one_cloud_funnel.*
logs-system.security*
logs-windows.sysmon_operational-*
winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://attack.mitre.org/techniques/T1219/

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Microsoft Defender for Endpoint
Data Source: Crowdstrike
Data Source: Windows Security Event Logs
Data Source: Elastic Endgame

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Remote Management Access Launch After MSI Install

This rule fires when the same host runs msiexec with an install argument (/i) and within one minute starts a pre-configured RMM software.

Possible investigation steps

Confirm the sequence on the host: first event should be msiexec.exe with process.args containing "/i"; second should be a remote management software.
Review the source of the MSI file using file events.
Check whether use of RMM software is approved for this host.
Check network events to validate which remote host the RMM software connects to.
Correlate with other alerts for the same host (initial access, persistence, C2).

False positive analysis

Legitimate IT/MSP deployment of RMM for support.

Response and remediation

If unauthorized RMM use or abuse is confirmed: isolate the host, terminate the ScreenConnect client, remove or block the installation, and investigate how the MSI was delivered and who operates the relay.

Rule query

edit

sequence by host.id with maxspan=1m
 [process where host.os.type == "windows" and event.type == "start" and process.name : "msiexec.exe" and process.args : ("/i*", "-i*")]
 [process where host.os.type == "windows" and event.type == "start" and
  (
   (process.name : "ScreenConnect.ClientService.exe" and process.command_line : "*?e=Access&y=Guest&h*&k=*") or
   (process.name : "Syncro.Installer.exe" and process.args : "--config-json" and process.args : "--key") or
    process.name : ("tvnserver.exe", "winvnc.exe")
  )
  ]

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Remote Access Tools
- ID: T1219
- Reference URL: https://attack.mitre.org/techniques/T1219/
Sub-technique:
- Name: Remote Desktop Software
- ID: T1219.002
- Reference URL: https://attack.mitre.org/techniques/T1219/002/

« Multiple Remote Management Tool Vendors on Same Host Potential Protocol Tunneling via Cloudflared »