LoFP
/
t1218.007
t1218.007
Title
Tags
false positives depend on scripts and administrative tools used in the monitored environment
t1036
t1059
t1059.007
t1082
t1087
t1105
t1140
t1218
t1218.005
t1218.007
t1218.011
windows
sigma
false positives may be present, filter by destination or parent process as needed.
t1218.007
endpoint
splunk
false positives will be present and filtering is required.
t1218.007
endpoint
splunk
false positives will be present with msiexec spawning cmd or powershell. filtering will be needed. in addition, add other known discovery processes to enhance query.
t1218.007
endpoint
splunk
false positives will only be present if the msiexec process legitimately spawns windbg. filter as needed.
t1218.007
endpoint
splunk
legitimate script
t1018
t1021
t1021.006
t1048
t1048.003
t1059
t1218
t1218.007
t1562
t1562.001
windows
sigma
other possible 3rd party msi software installers use this technique as part of its installation process.
t1218
t1218.007
endpoint
splunk
some rare installers were seen communicating with external servers for additional information. while its a very rare occurrence in some environments an initial baseline might be required.
t1218
t1218.007
windows
sigma
this analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. filter as needed.
t1218.007
endpoint
splunk
windowsapps installing updates via the quiet flag
t1218
t1218.007
windows
sigma