detection.wiki

MsiInstaller › Event 1033

Event ID 1033 — Windows Installer installed the product.

Provider
MsiInstaller
Channel
Application
Level
Informational
Collection Priority
Recommended (NSA)

Description

Product: . Version: . Language: . Installation completed with status: . Manufacturer: .

Message #

Product: %1. Version: %2. Language: %3. Installation completed with status: %4. Manufacturer: %5.

Fields #

NameDescription
Data
Binary

Example Event #

{
  "system": {
    "provider": "MsiInstaller",
    "guid": "",
    "event_source_name": "",
    "event_id": 1033,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2023-11-05T23:15:56.232306+00:00",
    "event_record_id": 1723,
    "correlation": {},
    "execution": {
      "process_id": 4436,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "Data": [
      "Python 3.12.0 Test Suite (64-bit)",
      "3.12.150.0",
      "1033",
      "0",
      "Python Software Foundation",
      "(NULL)"
    ],
    "Binary": "ezBBOUIzOEE3LUQzOTMtNDRBNS1BOTRFLTlGRUM5MjdEQzM5Q30wMDAwOWUwZTEzODZmMjM2YThjYzdiYzZhNmQ4ODJjNjZkZGIwMDAwMDkwNA=="
  },
  "message": "Windows Installer installed the product. Product Name: Python 3.12.0 Test Suite (64-bit). Product Version: 3.12.150.0. Product Language: 1033. Manufacturer: Python Software Foundation. Installation success or error status: 0."
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

  • Atera Agent Installation source high: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators

References #