detection.wiki

Detection rules › Sigma

Msiexec Quiet Installation

Severity
medium
Author
frack113
Source
upstream

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218.007 System Binary Proxy Execution: Msiexec

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\msiexec.exe'
OriginalFileName: msiexec.exe

Stage 2: all of selection_cli

or:
CommandLine|contains: -a
CommandLine|contains: -i
CommandLine|contains: -j
CommandLine|contains: -package

Stage 3: all of selection_quiet

CommandLine|contains: -q

Stage 4: not 1 of filter_*

or:
IntegrityLevel: [S-1-16-16384, System]
ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe'
ParentImage|contains: '\AppData\Local\Temp\'
ParentImage|startswith: 'C:\Users\'
ParentImage|startswith: 'C:\Windows\Temp\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • -a corpus 4 (sigma 4)
  • -i corpus 6 (sigma 6)
  • -j corpus 2 (sigma 2)
  • -package corpus 2 (sigma 2)
  • -q corpus 2 (sigma 2)
Imageends_with
  • \msiexec.exe corpus 21 (sigma 21)
IntegrityLeveleq
  • S-1-16-16384 corpus 21 (sigma 21)
  • System corpus 21 (sigma 21)
OriginalFileNameeq
  • msiexec.exe corpus 5 (sigma 5)
ParentImageeq
  • C:\Windows\CCM\Ccm32BitLauncher.exe
ParentImagematch
  • \AppData\Local\Temp\ corpus 4 (sigma 4)
ParentImagestarts_with
  • C:\Users\
  • C:\Windows\Temp\