Suspicious Msiexec Quiet Install From Remote Location

 1title: Suspicious Msiexec Quiet Install From Remote Location
 2id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
 3related:
 4    - id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
 5      type: similar
 6status: test
 7description: Detects usage of Msiexec.exe to install packages hosted remotely quietly
 8references:
 9    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/10/28
12modified: 2024/03/13
13tags:
14    - attack.defense_evasion
15    - attack.t1218.007
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\msiexec.exe'
22        - OriginalFileName: 'msiexec.exe'
23    selection_cli:
24        # Note that there is no space before and after the arguments because it's possible to write a commandline as such
25        # Example: msiexec -q/i [MSI Package]
26        CommandLine|contains|windash:
27            - '-i'
28            - '-package'
29            - '-a'
30            - '-j'
31    selection_quiet:
32        CommandLine|contains|windash: '-q'
33    selection_remote:
34        CommandLine|contains:
35            - 'http'
36            - '\\\\'
37    condition: all of selection_*
38falsepositives:
39    - Unknown
40level: medium