MSI Installation From Web
Detects installation of a remote msi file from web.
Sigma rule (View on GitHub)
1title: MSI Installation From Web
2id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
3status: test
4description: Detects installation of a remote msi file from web.
5references:
6 - https://twitter.com/_st0pp3r_/status/1583922009842802689
7author: Stamatis Chatzimangou
8date: 2022-10-23
9tags:
10 - attack.stealth
11 - attack.t1218
12 - attack.t1218.007
13logsource:
14 product: windows
15 service: application
16 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18 selection:
19 Provider_Name: 'MsiInstaller'
20 EventID:
21 - 1040
22 - 1042
23 Data|contains: '://'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via IMEWDBLD.EXE