Potential MsiExec Masquerading
Detects the execution of msiexec.exe from an uncommon directory
Sigma rule (View on GitHub)
1title: Potential MsiExec Masquerading
2id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
3status: test
4description: Detects the execution of msiexec.exe from an uncommon directory
5references:
6 - https://twitter.com/200_okay_/status/1194765831911215104
7author: Florian Roth (Nextron Systems)
8date: 2019/11/14
9modified: 2023/02/21
10tags:
11 - attack.defense_evasion
12 - attack.t1036.005
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\msiexec.exe'
19 - OriginalFileName: '\msiexec.exe'
20 filter:
21 Image|startswith:
22 - 'C:\Windows\System32\'
23 - 'C:\Windows\SysWOW64\'
24 - 'C:\Windows\WinSxS\'
25 condition: selection and not filter
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Flash Player Update from Suspicious Location
- Svchost Not Matching Normal Execution Parameters
- MSHTA Suspicious Execution 01
- Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
- Application Whitelisting Bypass via Dnx.exe