mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-09 17:37:16 +00:00
keyboardcrunch
21 lines
873 B
YAML
21 lines
873 B
YAML
title: Msiexec Remote MSI
|
|
description: Detect execution of remote msi files by msiexec.exe. The second
|
|
half of the query aims to detect processes spawned by msi files instead of dll files
|
|
in the CommandLine (as that is very noisy) and may return a bit of noise within
|
|
for the CrossProcess Object as some auto-update processes may be collected by this query.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Defense Evasion
|
|
technique: T1218
|
|
subtechnique: 007
|
|
operating_system: windows
|
|
query: ( SrcProcName = "msiexec.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)"
|
|
) OR (SrcProcName RegExp "^.*\.(tmp)" AND EventType = "Open Remote Process Handle"
|
|
AND SrcProcParentName = "msiexec.exe")
|
|
false_positives:
|
|
- Auto-update processes
|
|
tags:
|
|
|