Suspicious Msiexec Quiet Install From Remote Location
Detects usage of Msiexec.exe to install packages hosted remotely quietly
Sigma rule (View on GitHub)
1title: Suspicious Msiexec Quiet Install From Remote Location
2id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
3related:
4 - id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
5 type: similar
6status: test
7description: Detects usage of Msiexec.exe to install packages hosted remotely quietly
8references:
9 - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-10-28
12modified: 2024-03-13
13tags:
14 - attack.defense-evasion
15 - attack.t1218.007
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\msiexec.exe'
22 - OriginalFileName: 'msiexec.exe'
23 selection_cli:
24 # Note that there is no space before and after the arguments because it's possible to write a commandline as such
25 # Example: msiexec -q/i [MSI Package]
26 CommandLine|contains|windash:
27 - '-i'
28 - '-package'
29 - '-a'
30 - '-j'
31 selection_quiet:
32 CommandLine|contains|windash: '-q'
33 selection_remote:
34 CommandLine|contains:
35 - 'http'
36 - '\\\\'
37 condition: all of selection_*
38falsepositives:
39 - Unknown
40level: medium
References
-
Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread.
Read More
Related rules
- DllUnregisterServer Function Call Via Msiexec.EXE
- MSI Installation From Web
- MsiExec Web Install
- Msiexec Quiet Installation
- PowerShell WMI Win32_Product Install MSI