Techniques
Sample rules
Msiexec Quiet Installation
- source: sigma
- technicques:
- t1218
- t1218.007
Description
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_ccm:
IntegrityLevel:
- System
- S-1-16-16384
ParentImage: C:\Windows\CCM\Ccm32BitLauncher.exe
filter_system_temp:
ParentImage|startswith: C:\Windows\Temp\
filter_user_temp:
ParentImage|contains: \AppData\Local\Temp\
ParentImage|startswith: C:\Users\
selection_cli:
CommandLine|contains|windash:
- -i
- -package
- -a
- -j
selection_img:
- Image|endswith: \msiexec.exe
- OriginalFileName: msiexec.exe
selection_quiet:
CommandLine|contains|windash: -q