LoFP / some legitimate system cleanup or msi uninstallation processes may delete rbs files under c:\config.msi. verify events with approved maintenance activities to reduce false alarms.

Techniques

• T1068
• T1218.007

Sample rules

Windows MSI Rollback Script Deleted By Non-Msiexec Process

• source: splunk
• technicques:
  • T1218.007
  • T1068

Description

Detects deletion of a Rollback Script (.rbs) file under C:\Config.Msi, the critical filesystem manipulation step in an MSI Rollback privilege escalation attack that converts an arbitrary file delete primitive into full SYSTEM code execution. During a legitimate MSI installation, the Windows Installer service (running as SYSTEM) creates C:\Config.Msi and populates it with a Rollback Script (.rbs) and Rollback File (.rbf). These files define exactly how to restore the system to its pre-installation state if the install fails. The folder is protected with a strong DACL specifically to prevent tampering by low-privileged users — because whatever is in these files will be executed by the SYSTEM-level Installer service during rollback.

Detection logic

`sysmon`
EventID=23
TargetFilename="*:\\Config.Msi\\*"
TargetFilename="*.rbs"
NOT ProcessName="msiexec.exe"

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer ProcessName TargetFilename EventID action dest dvc file_path file_hash
     file_name file_modify_time process_exec process_guid process_id process_name
     process_path signature signature_id user user_id vendor_product


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_msi_rollback_script_deleted_by_non_msiexec_process_filter`