MSI Installation From Web
Detects installation of a remote msi file from web.
Sigma rule (View on GitHub)
1title: MSI Installation From Web
2id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
3status: test
4description: Detects installation of a remote msi file from web.
5references:
6 - https://twitter.com/_st0pp3r_/status/1583922009842802689
7author: Stamatis Chatzimangou
8date: 2022-10-23
9modified: 2022-10-23
10tags:
11 - attack.defense-evasion
12 - attack.t1218
13 - attack.t1218.007
14logsource:
15 product: windows
16 service: application
17 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
18detection:
19 selection:
20 Provider_Name: 'MsiInstaller'
21 EventID:
22 - 1040
23 - 1042
24 Data|contains: '://'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE