Attachment: MSI Installer file
Recursively scans files and archives to detect MSI installer files.
Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack.
Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host.
Sublime rule (View on GitHub)
1name: "Attachment: MSI Installer file"
2description: |
3 Recursively scans files and archives to detect MSI installer files.
4
5 Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack.
6
7 Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host.
8references:
9 - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"
10 - "https://www.trendmicro.com/en_us/research/19/d/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts.html"
11 - "https://delivr.to/payloads?id=9f7d3318-5072-4ba6-a7e2-14b4b2470a09"
12 - "https://delivr.to/payloads?id=24b2db63-60f0-4948-bec4-163e038bf402"
13type: "rule"
14authors:
15 - twitter: "ajpc500"
16severity: "medium"
17source: |
18 type.inbound
19 and (
20 any(attachments, .file_extension =~ "msi")
21 or (
22 any(attachments,
23 .file_extension in~ $file_extensions_common_archives
24 and any(file.explode(.), .file_extension =~ "msi")
25 )
26 )
27 )
28attack_types:
29 - "Malware/Ransomware"
30tactics_and_techniques:
31 - "Evasion"
32detection_methods:
33 - "Archive analysis"
34 - "File analysis"
35id: "ae17b1a9-41e3-513c-9762-0c3fd30b9818"