Suspicious MsiExec Embedding Parent

Oct 18, 2023 · attack.t1218.007 attack.defense_evasion ·

Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads

Sigma rule (View on GitHub)

 1title: Suspicious MsiExec Embedding Parent
 2id: 4a2a2c3e-209f-4d01-b513-4155a540b469
 3status: test
 4description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
 7author: frack113
 8date: 2022/04/16
 9modified: 2022/07/14
10tags:
11    - attack.t1218.007
12    - attack.defense_evasion
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection:
18        Image|endswith:
19            - '\powershell.exe'
20            - '\pwsh.exe'
21            - '\cmd.exe'
22        ParentCommandLine|contains|all:
23            - 'MsiExec.exe'
24            - '-Embedding '
25    filter_splunk_ufw:
26        Image|endswith: ':\Windows\System32\cmd.exe'
27        CommandLine|contains: 'C:\Program Files\SplunkUniversalForwarder\bin\'
28    filter_vs:
29        - CommandLine|contains: '\DismFoDInstall.cmd'
30        - ParentCommandLine|contains|all:
31              - '\MsiExec.exe -Embedding '
32              - 'Global\MSI0000'
33    condition: selection and not 1 of filter*
34falsepositives:
35    - Unknown
36level: medium

References

atomic-red-team/atomics/T1218.007/T1218.007.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Suspicious MsiExec Embedding Parent

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1218.007/T1218.007.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules