Query Details
Suspicious MSI Exec R Robin
Query
Tags:
Query:
DeviceProcessEvents | where FileName == "msiexec.exe" and ProcessCommandLine has_any ('http:','https:') and not(ProcessCommandLine has_any('.exe','.msi')) | where ProcessCommandLine has_any ('/q', '-q','-quiet','/quiet','/qn','-qn')
Reference
Explanation
Sure! Here's a simple summary of the query:
This query is looking for events where the process "msiexec.exe" was run. It specifically checks the command line arguments used when running this process to see if they include any URLs (starting with "http:" or "https:"). Additionally, it ensures that these command line arguments do not contain any references to executable files (".exe") or MSI files (".msi"). Finally, it filters for instances where the command line includes certain quiet or silent installation flags (like "/q", "-q", "/quiet", etc.).
In short, the query is identifying instances where "msiexec.exe" is used to run a potentially silent installation from a URL, without involving other executable or MSI files.
Details
Ali Hussein
Released: October 11, 2023
Tables
Keywords
Operators