Windows HTTP Network Communication From MSIExec

name: Windows HTTP Network Communication From MSIExec
id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99
version: 11
creation_date: '2022-06-17'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment.
data_source:
    - Sysmon EventID 1 AND Sysmon EventID 3
    - Cisco Network Visibility Module Flow Data
search: |-
    | tstats `security_content_summariesonly`
      count
    
    FROM datamodel=Endpoint.Processes where
    
    `process_msiexec`
    
    by _time Processes.action Processes.dest Processes.original_file_name
       Processes.parent_process Processes.parent_process_exec
       Processes.parent_process_guid Processes.parent_process_id
       Processes.parent_process_name Processes.parent_process_path
       Processes.process Processes.process_exec Processes.process_guid
       Processes.process_hash Processes.process_id
       Processes.process_integrity_level Processes.process_name
       Processes.process_path Processes.user Processes.user_id
       Processes.vendor_product
    
    | `drop_dm_object_name(Processes)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    
    | join process_id [
        | tstats `security_content_summariesonly`
          count
    
        FROM datamodel=Network_Traffic.All_Traffic where
    
        All_Traffic.dest_port IN ("80","443")
    
        by All_Traffic.action All_Traffic.app All_Traffic.bytes
           All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest
           All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc
           All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src
           All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport
           All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
           All_Traffic.process_id
    
        | `drop_dm_object_name(All_Traffic)`
    ]
    | table _time user dest parent_process_name process_name
            process_path process process_id dest_port dest_ip
    | `windows_http_network_communication_from_msiexec_filter`
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: False positives will be present and filtering is required.
references:
    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md
drilldown_searches:
    - name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: user
          type: user
          score: 20
          message: An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$
        - field: dest
          type: system
          score: 20
          message: An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$
threat_objects:
    - field: parent_process_name
      type: parent_process_name
    - field: process_name
      type: process_name
analytic_story:
    - APT37 Rustonotto and FadeStealer
    - GhostRedirector IIS Module and Rungan Backdoor
    - Windows System Binary Proxy Execution MSIExec
    - Water Gamayun
    - Cisco Network Visibility Module Analytics
    - SolarWinds WHD RCE Post Exploitation
asset_type: Endpoint
mitre_attack_id:
    - T1218.007
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test - Sysmon
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit
    - name: True Positive Test - Cisco NVM
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
          source: not_applicable
          sourcetype: cisco:nvm:flowdata
      test_type: unit