T1218.007 Msiexec Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "msiexec.exe"
| extend RemoteMSI = ProcessCommandLine has_any ("http://", "https://", "ftp://")
| extend UNCPath = ProcessCommandLine matches regex @"\\\\.+\\\.+\.msi"
| extend SilentInstall = ProcessCommandLine has_any ("/q", "/quiet", "/passive")
| extend DLLExecution = ProcessCommandLine has "/y"
| extend SuspiciousPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "Desktop")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
| extend PropertyPair = ProcessCommandLine matches regex @"[A-Z]+=.{10,}"
| where RemoteMSI or DLLExecution or (SilentInstall and SuspiciousPath) or (SuspiciousParent and SuspiciousPath) or SuspiciousParent
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, RemoteMSI, SilentInstall, DLLExecution, SuspiciousPath, SuspiciousParent, PropertyPair
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Network: Network Connection Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software deployment via SCCM, Intune, or PDQ Deploy which frequently calls msiexec.exe with /quiet or /passive flags
System updates and Windows Update installation processes that use msiexec.exe with silent flags
IT administrators manually installing software packages with administrative flags
Software auto-update mechanisms that download and install MSI packages remotely

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
Image="*\\msiexec.exe"
| eval RemoteMSI=if(match(CommandLine, "http[s]?://|ftp://"), 1, 0)
| eval DLLExec=if(match(CommandLine, "/y "), 1, 0)
| eval SilentInstall=if(match(CommandLine, "(/q|/quiet|/passive)"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|Desktop)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe"), 1, 0)
| eval PropertyPair=if(match(CommandLine, "[A-Z]+=[a-zA-Z0-9+/]{10,}"), 1, 0)
| eval RiskScore=RemoteMSI + DLLExec + (SilentInstall * SuspiciousPath) + SuspiciousParent + PropertyPair
| where RiskScore > 0
| table _time, host, User, CommandLine, ParentImage, ParentCommandLine, RemoteMSI, DLLExec, SilentInstall, SuspiciousPath, SuspiciousParent, PropertyPair, RiskScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software deployment via SCCM, Intune, or PDQ Deploy which frequently calls msiexec.exe with /quiet or /passive flags
System updates and Windows Update installation processes that use msiexec.exe with silent flags
IT administrators manually installing software packages with administrative flags
Software auto-update mechanisms that download and install MSI packages remotely

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name : "msiexec.exe"
  and (
    process.command_line : ("*http://*", "*https://*", "*ftp://*")
    or process.command_line : "* /y *"
    or (
      process.command_line : ("*/q *", "*/quiet *", "*/passive *")
      and process.command_line : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*Desktop*")
    )
    or process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
  )

high severity high confidence

Data Sources

Elastic Defend (Endpoint Security) Winlogbeat with Sysmon module Elastic Agent with Windows integration

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-windows.sysmon_operational-*

False Positives

Enterprise software deployment via SCCM, Intune, or PDQ Deploy that silently installs MSI packages from internal HTTP artifact repositories or UNC share staging paths under AppData
IT automation frameworks (Ansible, Chef, Puppet) wrapping msiexec with /quiet flags and staging installers in %TEMP% or %PUBLIC% before execution
Legitimate patch management agents (Ivanti Neurons, ManageEngine Patch Manager) that spawn msiexec from PowerShell helper scripts with silent install flags

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS User,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  CASE WHEN REGEXP_MATCH("Command", '(?i)http[s]?://|ftp://') THEN 1 ELSE 0 END AS RemoteMSI,
  CASE WHEN REGEXP_MATCH("Command", '(?i)\s/y\s') THEN 1 ELSE 0 END AS DLLExec,
  CASE WHEN REGEXP_MATCH("Command", '(?i)(/q |/quiet |/passive )') THEN 1 ELSE 0 END AS SilentInstall,
  CASE WHEN REGEXP_MATCH("Command", '(?i)(temp|appdata|downloads|public|desktop)') THEN 1 ELSE 0 END AS SuspiciousPath,
  CASE WHEN REGEXP_MATCH("Parent Process Name", '(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe') THEN 1 ELSE 0 END AS SuspiciousParent,
  CASE WHEN REGEXP_MATCH("Command", '[A-Z]+=[a-zA-Z0-9+/]{10,}') THEN 1 ELSE 0 END AS PropertyPair
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND LOWER("Process Name") LIKE '%msiexec.exe'
  AND (
    REGEXP_MATCH("Command", '(?i)http[s]?://|ftp://')
    OR REGEXP_MATCH("Command", '(?i)\s/y\s')
    OR (
      REGEXP_MATCH("Command", '(?i)(/q |/quiet |/passive )')
      AND REGEXP_MATCH("Command", '(?i)(temp|appdata|downloads|public|desktop)')
    )
    OR REGEXP_MATCH("Parent Process Name", '(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe')
  )
START '%LastHour%' STOP '%Now%'
ORDER BY devicetime DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log DSM Sysmon DSM for QRadar

Required Tables

events

False Positives

Enterprise deployment tooling (SCCM, Ivanti, Altiris) silently installing MSI packages, triggering both SilentInstall and SuspiciousPath when staging directories overlap with Temp or AppData
Help desk remote support tools (ConnectWise, AnyDesk installer) launched by support engineers via PowerShell remote sessions, triggering SuspiciousParent on powershell.exe
Developer workstation setup scripts that download and run vendor MSI packages from internal HTTP artifact servers (Nexus, Artifactory), triggering RemoteMSI on internal URLs

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*windows*endpoint*)
| where EventID = "1"
| where Image =~ "(?i).*\\\\msiexec\\.exe$"
| if(CommandLine =~ "(?i)(http[s]?|ftp)://", 1, 0) as RemoteMSI
| if(CommandLine =~ "(?i)\\s/y\\s", 1, 0) as DLLExec
| if(CommandLine =~ "(?i)(/q |/quiet |/passive )", 1, 0) as SilentInstall
| if(CommandLine =~ "(?i)(Temp|AppData|Downloads|Public|Desktop)", 1, 0) as SuspiciousPath
| if(ParentImage =~ "(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\\.exe$", 1, 0) as SuspiciousParent
| if(CommandLine =~ "[A-Z]+=[a-zA-Z0-9+/]{10,}", 1, 0) as PropertyPair
| toInt(RemoteMSI) + toInt(DLLExec) + (toInt(SilentInstall) * toInt(SuspiciousPath)) + toInt(SuspiciousParent) + toInt(PropertyPair) as RiskScore
| where RiskScore > 0
| fields _time, Computer, User, Image, CommandLine, ParentImage, RemoteMSI, DLLExec, SilentInstall, SuspiciousPath, SuspiciousParent, PropertyPair, RiskScore
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic (Sysmon via Installed Collector) Sumo Logic Cloud-to-Cloud Windows Event Log Source Sumo Logic App for Microsoft Windows

Required Tables

Sysmon EventID 1 log data (_sourceCategory=*windows*sysmon*)

False Positives

Software deployment pipelines staging MSI files in %TEMP% or %AppData% directories before silent installation, common in enterprise MDM workflows via Intune
Security tooling update mechanisms (CrowdStrike sensor updates, Carbon Black updates) that self-install via msiexec with /quiet flags from local staging paths
Legitimate CI/CD build agents running msiexec installer tests from Downloads or Desktop paths during automated QA test cycles

Google Chronicle / SecOps

yaral

rule t1218_007_msiexec_proxy_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects msiexec.exe abuse for proxy execution of malicious payloads via remote MSI loading, DLL registration, silent install from suspicious paths, or suspicious parent processes. MITRE ATT&CK T1218.007 - Defense Evasion."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.007"
    mitre_attack_technique_name = "System Binary Proxy Execution: Msiexec"
    severity = "HIGH"
    confidence = "HIGH"
    platforms = "Windows"
    false_positives = "SCCM deployments, patch management tools, IT automation scripts"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)\\msiexec\.exe$/ nocase
    (
      re.regex($e.target.process.command_line, `(?i)(http[s]?|ftp)://`) or
      re.regex($e.target.process.command_line, `(?i)\s/y\s`) or
      (
        re.regex($e.target.process.command_line, `(?i)(/q\s|/quiet\s|/passive\s)`) and
        re.regex($e.target.process.command_line, `(?i)(temp|appdata|downloads|public|desktop)`)
      ) or
      re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle (Unified Data Model) Windows Event Logs via Chronicle Forwarder Sysmon via Chronicle Ingestion API Microsoft Defender for Endpoint via Chronicle Integration

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Enterprise software deployment tools (SCCM, Intune, Altiris) executing msiexec silently from AppData or Temp staging directories as part of policy-driven software pushes
Vulnerability management agents (Qualys, Tenable) that install update packages via msiexec with /quiet from their own AppData working directories
Legitimate macro-enabled Office documents used by finance or HR teams that invoke msiexec as part of sanctioned document-driven workflows, triggering the Office parent process indicator

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| regex("(?i)\\\\msiexec\\.exe$", field=ImageFileName)
| case {
    regex("(?i)(http[s]?|ftp)://", field=CommandLine) | RemoteMSI := "1" ;
    * | RemoteMSI := "0"
  }
| case {
    regex("(?i)\\s/y\\s", field=CommandLine) | DLLExec := "1" ;
    * | DLLExec := "0"
  }
| case {
    regex("(?i)(/q |/quiet |/passive )", field=CommandLine) | SilentInstall := "1" ;
    * | SilentInstall := "0"
  }
| case {
    regex("(?i)(Temp|AppData|Downloads|Public|Desktop)", field=CommandLine) | SuspiciousPath := "1" ;
    * | SuspiciousPath := "0"
  }
| case {
    regex("(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\\.exe$", field=ParentBaseFileName) | SuspiciousParent := "1" ;
    * | SuspiciousParent := "0"
  }
| case {
    regex("[A-Z]+=[a-zA-Z0-9+/]{10,}", field=CommandLine) | PropertyPair := "1" ;
    * | PropertyPair := "0"
  }
| where RemoteMSI = "1" or DLLExec = "1" or (SilentInstall = "1" and SuspiciousPath = "1") or SuspiciousParent = "1"
| table([_time, ComputerName, UserName, CommandLine, ParentBaseFileName, RemoteMSI, DLLExec, SilentInstall, SuspiciousPath, SuspiciousParent, PropertyPair])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Data Replicator (FDR) CrowdStrike LogScale (Humio) Falcon Insight XDR ProcessRollup2 events

Required Tables

ProcessRollup2 (FDR event stream)

False Positives

CrowdStrike Falcon sensor self-updates or third-party EDR agents that install or update themselves via msiexec with silent flags from AppData paths, matching SilentInstall and SuspiciousPath simultaneously
Remote monitoring and management (RMM) tools such as Kaseya, NinjaRMM, or Datto that invoke msiexec from PowerShell or cmd.exe parent processes during managed software deployments, triggering SuspiciousParent
Internal developer tooling build systems that download MSI artifacts from internal CI artifact stores via HTTP during automated build agent provisioning, matching the RemoteMSI indicator on internal RFC1918 URLs

Msiexec

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections