Suspicious MsiExec Embedding Parent
Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
Sigma rule (View on GitHub)
1title: Suspicious MsiExec Embedding Parent
2id: 4a2a2c3e-209f-4d01-b513-4155a540b469
3status: test
4description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
7author: frack113
8date: 2022-04-16
9modified: 2022-07-14
10tags:
11 - attack.t1218.007
12 - attack.defense-evasion
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection:
18 Image|endswith:
19 - '\powershell.exe'
20 - '\pwsh.exe'
21 - '\cmd.exe'
22 ParentCommandLine|contains|all:
23 - 'MsiExec.exe'
24 - '-Embedding '
25 filter_splunk_ufw:
26 Image|endswith: ':\Windows\System32\cmd.exe'
27 CommandLine|contains: 'C:\Program Files\SplunkUniversalForwarder\bin\'
28 filter_vs:
29 - CommandLine|contains: '\DismFoDInstall.cmd'
30 - ParentCommandLine|contains|all:
31 - '\MsiExec.exe -Embedding '
32 - 'Global\MSI0000'
33 condition: selection and not 1 of filter*
34falsepositives:
35 - Unknown
36level: medium
References
Related rules
- DllUnregisterServer Function Call Via Msiexec.EXE
- MSI Installation From Web
- MsiExec Web Install
- PowerShell WMI Win32_Product Install MSI
- Suspicious Msiexec Execute Arbitrary DLL