MSI Installation From Suspicious Locations

 1title: MSI Installation From Suspicious Locations
 2id: c7c8aa1c-5aff-408e-828b-998e3620b341
 3status: test
 4description: Detects MSI package installation from suspicious locations
 5references:
 6    - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/08/31
 9modified: 2023/10/23
10tags:
11    - attack.execution
12logsource:
13    product: windows
14    service: application
15    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
16detection:
17    selection:
18        Provider_Name: 'MsiInstaller'
19        EventID:
20            - 1040
21            - 1042
22        Data|contains:
23            # Add more suspicious paths
24            - ':\Windows\TEMP\'
25            - '\\\\'
26            - '\Desktop\'
27            - '\PerfLogs\'
28            - '\Users\Public\'
29            # - '\AppData\Local\Temp\'  # too many FPs
30            # - '\Downloads\'  # too many FPs, typical legitimate staging directory
31    filter_winget:
32        Data|contains: '\AppData\Local\Temp\WinGet\'
33    filter_updhealthtools:
34        Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi'
35    condition: selection and not 1 of filter_*
36falsepositives:
37    - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.
38level: medium