MSI Installation From Suspicious Locations

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects MSI package installation from suspicious locations

Event coverage

Provider	Event ID	Title
MsiInstaller	1040	Beginning a Windows Installer transaction: %0
MsiInstaller	1042	Ending a Windows Installer transaction: %0

Stages and Predicates

Stage 1: `selection`

or:
Data|contains: ':\Windows\TEMP\'
Data|contains: '\Desktop\'
Data|contains: '\PerfLogs\'
Data|contains: '\Users\Public\'
Data|contains: '\\\\'
Provider_Name: MsiInstaller

Stage 2: `not 1 of filter_*`

or:
Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi'
Data|contains: '\AppData\Local\Temp\WinGet\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Data`	match	`:\Windows\TEMP\` `C:\Windows\TEMP\UpdHealthTools.msi` `\AppData\Local\Temp\WinGet\` `\Desktop\` corpus 2 (sigma 2) `\PerfLogs\` `\Users\Public\` corpus 2 (sigma 2) `\\\\`
`Provider_Name`	eq	`MsiInstaller` corpus 4 (sigma 4)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

MSI Installation From Web [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

MSI Installation From Web [sigma]