Find sigma rule
Attack: Signed Binary Proxy Execution: Msiexec
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated
policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
MITRE
Tactic
- defense-evasion
technique
- T1218.007
Test : Msiexec.exe - Execute Remote MSI file
OS
- windows
Description:
Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI executes a built-in JScript payload that launches powershell.exe.
Executor
command_prompt
Sigma Rule
-
proc_creation_win_msiexec_install_quiet.yml (id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5)
-
net_connection_win_msiexec_http.yml (id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f)
-
proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)
-
net_connection_win_susp_file_sharing_domains_susp_folders.yml (id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97)