Potential MsiExec Masquerading
Detects the execution of msiexec.exe from an uncommon directory
Sigma rule (View on GitHub)
1title: Potential MsiExec Masquerading
2id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
3status: test
4description: Detects the execution of msiexec.exe from an uncommon directory
5references:
6 - https://twitter.com/200_okay_/status/1194765831911215104
7author: Florian Roth (Nextron Systems)
8date: 2019-11-14
9modified: 2023-02-21
10tags:
11 - attack.defense-evasion
12 - attack.t1036.005
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\msiexec.exe'
19 - OriginalFileName: '\msiexec.exe'
20 filter:
21 Image|startswith:
22 - 'C:\Windows\System32\'
23 - 'C:\Windows\SysWOW64\'
24 - 'C:\Windows\WinSxS\'
25 condition: selection and not filter
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Exploit for CVE-2015-1641
- Files With System DLL Name In Unsuspected Locations
- Files With System Process Name In Unsuspected Locations
- Flash Player Update from Suspicious Location
- Greenbug Espionage Group Indicators