windowsapps installing updates via the quiet flag

t1218
t1218.007
windows
sigma

Techniques

t1218
t1218.007

Sample rules

Msiexec Quiet Installation

source: sigma
technicques:
- t1218
- t1218.007

Description

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_ccm:
  IntegrityLevel: System
  ParentImage: C:\Windows\CCM\Ccm32BitLauncher.exe
filter_system_temp:
  ParentImage|startswith: C:\Windows\Temp\
filter_user_temp:
  ParentImage|contains: \AppData\Local\Temp\
  ParentImage|startswith: C:\Users\
selection_cli:
  CommandLine|contains|windash:
  - -i
  - -package
  - -a
  - -j
selection_img:
- Image|endswith: \msiexec.exe
- OriginalFileName: msiexec.exe
selection_quiet:
  CommandLine|contains|windash: -q