Always Install Elevated Windows Installer

calendar Oct 23, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
Share on: linkedin copy

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Sigma rule (View on GitHub)

 1title: Always Install Elevated Windows Installer
 2id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
 3status: test
 4description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
 5references:
 6    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
 7author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 8date: 2020-10-13
 9modified: 2024-12-01
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1548.002
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_user:
19        User|contains: # covers many language settings
20            - 'AUTHORI'
21            - 'AUTORI'
22    selection_image_1:
23        Image|contains|all:
24            - '\Windows\Installer\'
25            - 'msi'
26        Image|endswith: 'tmp'
27    selection_image_2:
28        Image|endswith: '\msiexec.exe'
29        IntegrityLevel:
30            - 'System'
31            - 'S-1-16-16384'
32    filter_installer:
33        ParentImage: 'C:\Windows\System32\services.exe'
34    filter_repair:
35        - CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
36        - ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
37    filter_sophos:
38        ParentImage|startswith: 'C:\ProgramData\Sophos\'
39    filter_avira:
40        ParentImage|startswith: 'C:\ProgramData\Avira\'
41    filter_avast:
42        ParentImage|startswith:
43            - 'C:\Program Files\Avast Software\'
44            - 'C:\Program Files (x86)\Avast Software\'
45    filter_google_update:
46        ParentImage|startswith:
47            - 'C:\Program Files\Google\Update\'
48            - 'C:\Program Files (x86)\Google\Update\'
49    condition: 1 of selection_image_* and selection_user and not 1 of filter_*
50falsepositives:
51    - System administrator usage
52    - Anti virus products
53    - WindowsApps located in "C:\Program Files\WindowsApps\"
54level: medium

References

  • ÿØÿàJFIFÿâICC_PROFILE lcmsmntrRGB XYZ Ü)9acspAPPLöÖÓ-lcms descü^cprt\ wtpthbkpt|rXYZ�gXYZ¤bXYZ¸rTRCÌ@gTRCÌ@bTRCÌ@descc2textFBXYZ öÖÓ-XYZ 3¤XYZ o¢8õ�XYZ b™·…ÚX...


    Read More

Related rules

to-top