Always Install Elevated Windows Installer

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Sigma rule (View on GitHub)

 1title: Always Install Elevated Windows Installer
 2id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
 3status: test
 4description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
 5references:
 6    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
 7author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 8date: 2020-10-13
 9modified: 2023-03-23
10tags:
11    - attack.privilege-escalation
12    - attack.t1548.002
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection_user:
18        User|contains: # covers many language settings
19            - 'AUTHORI'
20            - 'AUTORI'
21    selection_image_1:
22        Image|contains|all:
23            - '\Windows\Installer\'
24            - 'msi'
25        Image|endswith: 'tmp'
26    selection_image_2:
27        Image|endswith: '\msiexec.exe'
28        IntegrityLevel: 'System'
29    filter_installer:
30        ParentImage: 'C:\Windows\System32\services.exe'
31    filter_repair:
32        - CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
33        - ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
34    filter_sophos:
35        ParentImage|startswith: 'C:\ProgramData\Sophos\'
36    filter_avira:
37        ParentImage|startswith: 'C:\ProgramData\Avira\'
38    filter_avast:
39        ParentImage|startswith:
40            - 'C:\Program Files\Avast Software\'
41            - 'C:\Program Files (x86)\Avast Software\'
42    filter_google_update:
43        ParentImage|startswith:
44            - 'C:\Program Files\Google\Update\'
45            - 'C:\Program Files (x86)\Google\Update\'
46    condition: 1 of selection_image_* and selection_user and not 1 of filter_*
47falsepositives:
48    - System administrator usage
49    - Anti virus products
50    - WindowsApps located in "C:\Program Files\WindowsApps\"
51level: medium

References

Related rules

to-top