detect-malicious-use-of-msiexec-mimikatz

Hunt Hypothesis

Adversaries may use msiexec.exe to execute malicious payloads, often as part of initial access or privilege escalation tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential Mimikatz-based credential theft or other malicious activities leveraging legitimate system tools.

KQL Query

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "msiexec.exe"
//Mimikatz commands
and (ProcessCommandLine contains "privilege::" 
or ProcessCommandLine has "sekurlsa" 
or ProcessCommandLine contains "token::")

Analytic Rule Definition

id: dc75c3e4-ed46-4183-b1c1-c075c2a4a6d5
name: detect-malicious-use-of-msiexec-mimikatz
description: |
  This query was originally published in the threat analytics report, Msiexec abuse.
  Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks.
  The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool.
  Reference - https://www.varonis.com/blog/what-is-mimikatz/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
- Privilege escalation
- Credential Access
query: |
  DeviceProcessEvents
  | where Timestamp > ago(7d)
  | where InitiatingProcessFileName =~ "msiexec.exe"
  //Mimikatz commands
  and (ProcessCommandLine contains "privilege::" 
  or ProcessCommandLine has "sekurlsa" 
  or ProcessCommandLine contains "token::")

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Tactic: Privilege escalation
Tactic: Credential Access

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Execution/detect-malicious-use-of-msiexec-mimikatz.yaml)

False Positive Guidance

Scenario: Scheduled System Updates via MSI
Description: A legitimate scheduled task uses msiexec to install Windows updates or patches via an .msi file.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.parent_process_path:"C:\\Windows\\System32\\schtasks.exe"
Scenario: Software Deployment via Group Policy
Description: IT administrators use msiexec to deploy software via Group Policy, which often involves running .msi files.
Filter/Exclusion: process.parent_process_name:"gpupdate.exe" or process.parent_process_path:"C:\\Windows\\System32\\gpupdate.exe"
Scenario: MSI Package Installation by Admin
Description: A system administrator manually installs a third-party application using msiexec from a trusted source.
Filter/Exclusion: process.command_line:"msiexec /i" AND file.name:"trusted_software.msi" (replace with actual file name)
Scenario: MSI File Execution via PowerShell Script
Description: A PowerShell script is used to automate the installation of an .msi file as part of a deployment process.
Filter/Exclusion: process.parent_process_name:"powershell.exe" AND process.command_line:"-Command"
Scenario: MSI File Execution via SCCM or Configuration Manager
Description: A Configuration Manager (SCCM) deployment triggers msiexec to install software on endpoints.
Filter/Exclusion: process.parent_process_name:"ccmexec.exe" or process.parent_process_path:"C:\\Windows\\System32\\ccmexec.exe"