Find sigma rule

Attack: Signed Binary Proxy Execution: Msiexec

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)

MITRE

Tactic

defense-evasion

technique

T1218.007

Test : WMI Win32_Product Class - Execute Local MSI file with embedded VBScript

OS

windows

Description:

Executes an MSI containing embedded VBScript code using the WMI Win32_Product class

Executor

powershell

Sigma Rule

posh_ps_win32_product_install_msi.yml (id: 91109523-17f0-4248-a800-f81d9e7c081d)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test