← Back to Explore
sigmalowHunting
Msiexec.EXE Initiated Network Connection Over HTTP
Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. Use this rule to hunt for potentially anomalous or suspicious communications.
Detection Query
selection:
Initiated: "true"
Image|endswith: \msiexec.exe
DestinationPort:
- 80
- 443
condition: selection
Author
frack113
Created
2022-01-16
Data Sources
windowsNetwork Connection Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218.007detection.threat-hunting
Raw Content
title: Msiexec.EXE Initiated Network Connection Over HTTP
id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f
status: test
description: |
Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443.
Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.
Use this rule to hunt for potentially anomalous or suspicious communications.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-01-16
modified: 2024-07-16
tags:
- attack.defense-evasion
- attack.t1218.007
- detection.threat-hunting
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\msiexec.exe'
DestinationPort:
- 80
- 443
condition: selection
falsepositives:
- Likely
level: low