MsiExec Web Install

Detects suspicious msiexec process starts with web addresses as parameter

Sigma rule (View on GitHub)

 1title: MsiExec Web Install
 2id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
 3related:
 4    - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
 5      type: similar
 6status: test
 7description: Detects suspicious msiexec process starts with web addresses as parameter
 8references:
 9    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
10author: Florian Roth (Nextron Systems)
11date: 2018-02-09
12modified: 2022-01-07
13tags:
14    - attack.defense-evasion
15    - attack.t1218.007
16    - attack.command-and-control
17    - attack.t1105
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        CommandLine|contains|all:
24            - ' msiexec'
25            - '://'
26    condition: selection
27falsepositives:
28    - False positives depend on scripts and administrative tools used in the monitored environment
29level: medium

References

Related rules

to-top