Detect Msiexec Executing Dll Network Connections
Query
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where InitiatingProcessParentFileName =~ "msiexec.exe"
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(3d)
| where InitiatingProcessFileName =~ "msiexec.exe"
) on DeviceId,
$left.InitiatingProcessParentId == $right.InitiatingProcessId,
$left.InitiatingProcessParentCreationTime == $right.InitiatingProcessCreationTime
| where InitiatingProcessCommandLine1 has_any ("/y", "-y", "/z", "-z")About this query
Detect Msiexec executing DLL network connections
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1218.007 | System Binary Proxy Execution: Msiexec | https://attack.mitre.org/techniques/T1218/007/ |
Description
Adversaries regularly use Msiexec (or other lolbins) to execute their malicious programs with. A common way to do this is more specifically using Msiexec to execute beacons encapsulated in DLL files. While this happens a lot in legitimate cases, a DLL file loaded via Msiexec starting network connections may indicate a beacon running.
[!WARNING] You might need to add environment specific finetuning to this rule in order to reduce BP detections from legitimate processes.
Risk
This detection tries to detect beacons in DLL files that are loaded via the Msiexec lolbin.
Author <Optional>
- Name: Robbe Van den Daele
- Github: https://github.com/RobbeVandenDaele
- Twitter: https://x.com/RobbeVdDaele
- LinkedIn: https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- Website: https://hybridbrothers.com/
References
Defender XDR
Explanation
This query is designed to detect potentially malicious activity involving the use of the msiexec.exe process to execute DLL files that initiate network connections. Here's a simplified breakdown of what the query does:
-
Data Source: The query examines network events (
DeviceNetworkEvents) and process events (DeviceProcessEvents) on devices. -
Time Frame: It looks at network events from the past hour and process events from the past three days.
-
Msiexec Usage: It specifically focuses on events where
msiexec.exeis the parent process initiating other processes. -
Joining Data: The query joins network and process event data based on matching device IDs and process IDs, ensuring that the parent-child relationship between processes is accurately captured.
-
Command Line Flags: It filters for instances where the command line used with
msiexec.exeincludes specific flags (/y,-y,/z,-z). These flags might be indicative of suspicious or non-standard usage patterns. -
Purpose: The goal is to identify cases where
msiexec.exeis used to execute DLLs that then make network connections, which could suggest the presence of a beacon or other malicious activity. -
Caution: The query may need to be adjusted to reduce false positives from legitimate processes, as
msiexec.execan be used for legitimate purposes as well.
Overall, this query helps security analysts detect suspicious use of msiexec.exe that might indicate an adversary's attempt to execute malicious code via DLLs.
Details

Robbe Van den Daele
Released: January 12, 2026
Tables
Keywords
Operators