Rules: Network Connection from Msiexec - Sysmon
Native Window utilities are often employed by attackers to execute malicious code in order to abuse the elevated privileges of these processes and to blend in with normal system activity. This rule monitors for outbound TCP/UDP connections spawning from msiexec.exe as this could indicate a second-stage payload acquisition. Note that sysmon event ID 3 does not record ICMP connections.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Defense Evasion |
| Apply Risk to Entities | user_username, srcDevice_hostname, srcDevice_ip |
| Signal Name | Network Connection from Msiexec - Sysmon |
| Summary Expression | Msiexec.exe made a network connection on host: {{srcDevice_hostname}} |
| Score/Severity | Static: 3 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0005, _mitreAttackTechnique:T1218, _mitreAttackTechnique:T1218.007 |
| Origin | Field |
|---|---|
| Normalized Schema | dstDevice_ip_isInternal |
| Normalized Schema | file_path |
| Normalized Schema | metadata_deviceEventId |
| Normalized Schema | srcDevice_hostname |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |