Always Install Elevated Windows Installer

calendar Dec 1, 2024 · attack.privilege-escalation attack.t1548.002  ·
Share on: linkedin copy

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Sigma rule (View on GitHub)

 1title: Always Install Elevated Windows Installer
 2id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
 3status: test
 4description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
 5references:
 6    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
 7author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 8date: 2020-10-13
 9modified: 2024-12-01
10tags:
11    - attack.privilege-escalation
12    - attack.t1548.002
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection_user:
18        User|contains: # covers many language settings
19            - 'AUTHORI'
20            - 'AUTORI'
21    selection_image_1:
22        Image|contains|all:
23            - '\Windows\Installer\'
24            - 'msi'
25        Image|endswith: 'tmp'
26    selection_image_2:
27        Image|endswith: '\msiexec.exe'
28        IntegrityLevel:
29            - 'System'
30            - 'S-1-16-16384'
31    filter_installer:
32        ParentImage: 'C:\Windows\System32\services.exe'
33    filter_repair:
34        - CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
35        - ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
36    filter_sophos:
37        ParentImage|startswith: 'C:\ProgramData\Sophos\'
38    filter_avira:
39        ParentImage|startswith: 'C:\ProgramData\Avira\'
40    filter_avast:
41        ParentImage|startswith:
42            - 'C:\Program Files\Avast Software\'
43            - 'C:\Program Files (x86)\Avast Software\'
44    filter_google_update:
45        ParentImage|startswith:
46            - 'C:\Program Files\Google\Update\'
47            - 'C:\Program Files (x86)\Google\Update\'
48    condition: 1 of selection_image_* and selection_user and not 1 of filter_*
49falsepositives:
50    - System administrator usage
51    - Anti virus products
52    - WindowsApps located in "C:\Program Files\WindowsApps\"
53level: medium

References

  • ÿØÿàJFIFÿâICC_PROFILE lcmsmntrRGB XYZ Ü)9acspAPPLöÖÓ-lcms descü^cprt\ wtpthbkpt|rXYZ�gXYZ¤bXYZ¸rTRCÌ@gTRCÌ@bTRCÌ@descc2textFBXYZ öÖÓ-XYZ 3¤XYZ o¢8õ�XYZ b™·…ÚX...


    Read More

Related rules

to-top