MSI Installation From Web
Detects installation of a remote msi file from web.
Sigma rule (View on GitHub)
1title: MSI Installation From Web
2id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
3status: test
4description: Detects installation of a remote msi file from web.
5references:
6 - https://twitter.com/_st0pp3r_/status/1583922009842802689
7author: Stamatis Chatzimangou
8date: 2022/10/23
9modified: 2022/10/23
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13 - attack.t1218.007
14logsource:
15 product: windows
16 service: application
17 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
18detection:
19 selection:
20 Provider_Name: 'MsiInstaller'
21 EventID:
22 - 1040
23 - 1042
24 Data|contains: '://'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
- Execute Files with Msdeploy.exe
- Malicious Windows Script Components File Execution by TAEF Detection
- Potential Password Spraying Attempt Using Dsacls.EXE
- Potentially Over Permissive Permissions Granted Using Dsacls.EXE