KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Msiexec Executing Dll Network Connections

Query

# *Detect Msiexec executing DLL network connections*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1218.007 | System Binary Proxy Execution: Msiexec | https://attack.mitre.org/techniques/T1218/007/ |

#### Description
Adversaries regularly use Msiexec (or other lolbins) to execute their malicious programs with. A common way to do this is more specifically using Msiexec to execute beacons encapsulated in DLL files. While this happens a lot in legitimate cases, a DLL file loaded via Msiexec starting network connections may indicate a beacon running. 

> [!WARNING]
> You might need to add environment specific finetuning to this rule in order to reduce BP detections from legitimate processes.

#### Risk
This detection tries to detect beacons in DLL files that are loaded via the Msiexec lolbin. 

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://thecollective.eu/

## Defender XDR
```KQL
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where InitiatingProcessParentFileName =~ "msiexec.exe"
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(3d)
    | where InitiatingProcessFileName =~ "msiexec.exe"
) on DeviceId, 
    $left.InitiatingProcessParentId == $right.InitiatingProcessId,
    $left.InitiatingProcessParentCreationTime == $right.InitiatingProcessCreationTime
| where InitiatingProcessCommandLine1 has_any ("/y", "-y", "/z", "-z")
```

Explanation

This query is designed to detect potentially malicious activity involving the use of the msiexec.exe process to execute DLL files that initiate network connections. Here's a simplified breakdown of what the query does:

  1. Data Source: The query examines network events (DeviceNetworkEvents) and process events (DeviceProcessEvents) on devices.

  2. Time Frame: It looks at network events from the past hour and process events from the past three days.

  3. Msiexec Usage: It specifically focuses on events where msiexec.exe is the parent process initiating other processes.

  4. Joining Data: The query joins network and process event data based on matching device IDs and process IDs, ensuring that the parent-child relationship between processes is accurately captured.

  5. Command Line Flags: It filters for instances where the command line used with msiexec.exe includes specific flags (/y, -y, /z, -z). These flags might be indicative of suspicious or non-standard usage patterns.

  6. Purpose: The goal is to identify cases where msiexec.exe is used to execute DLLs that then make network connections, which could suggest the presence of a beacon or other malicious activity.

  7. Caution: The query may need to be adjusted to reduce false positives from legitimate processes, as msiexec.exe can be used for legitimate purposes as well.

Overall, this query helps security analysts detect suspicious use of msiexec.exe that might indicate an adversary's attempt to execute malicious code via DLLs.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 12, 2026

Tables

DeviceNetworkEventsDeviceProcessEvents

Keywords

DeviceNetworkEventsProcessEvents

Operators

DeviceNetworkEventswhereTimeGeneratedagoInitiatingProcessParentFileName=~joinkindinnerDeviceProcessEventsTimestamponDeviceId$leftInitiatingProcessParentId==$rightInitiatingProcessIdInitiatingProcessParentCreationTimeInitiatingProcessCreationTimeInitiatingProcessCommandLine1has_any

Actions