Suspicious MsiExec Embedding Parent

Severity: medium
Author: frack113
Source: upstream

Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1218.007` System Binary Proxy Execution: Msiexec

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection`

or:
Image|endswith: '\cmd.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
ParentCommandLine|contains: '-Embedding '
ParentCommandLine|contains: MsiExec.exe

Stage 2: `not 1 of filter*`

or:
CommandLine|contains: 'C:\Program Files\SplunkUniversalForwarder\bin\'
Image|endswith: ':\Windows\System32\cmd.exe'
ParentCommandLine|contains: 'Global\MSI0000'
ParentCommandLine|contains: '\MsiExec.exe -Embedding '
CommandLine|contains: '\DismFoDInstall.cmd'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`C:\Program Files\SplunkUniversalForwarder\bin\` `\DismFoDInstall.cmd`
`Image`	ends_with	`:\Windows\System32\cmd.exe` `\cmd.exe` corpus 92 (sigma 92) `\powershell.exe` corpus 143 (sigma 143) `\pwsh.exe` corpus 140 (sigma 140)
`ParentCommandLine`	match	`-Embedding` `Global\MSI0000` `MsiExec.exe` `\MsiExec.exe -Embedding`