MSI Installation From Web
Detects installation of a remote msi file from web.
Sigma rule (View on GitHub)
1title: MSI Installation From Web
2id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
3status: test
4description: Detects installation of a remote msi file from web.
5references:
6 - https://twitter.com/_st0pp3r_/status/1583922009842802689
7author: Stamatis Chatzimangou
8date: 2022-10-23
9tags:
10 - attack.defense-evasion
11 - attack.t1218
12 - attack.t1218.007
13logsource:
14 product: windows
15 service: application
16 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18 selection:
19 Provider_Name: 'MsiInstaller'
20 EventID:
21 - 1040
22 - 1042
23 Data|contains: '://'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- BitLockerTogo.EXE Execution
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Insensitive Subfolder Search Via Findstr.EXE
- Remote File Download Via Findstr.EXE
- Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location