MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218 System Binary Proxy Execution, T1218.007 System Binary Proxy Execution: Msiexec |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| MsiInstaller | 1040 | Beginning a Windows Installer transaction: %0 |
| MsiInstaller | 1042 | Ending a Windows Installer transaction: %0 |
Stages and Predicates
Stage 1: selection
Data|contains: '://'
Provider_Name: MsiInstaller
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Data | match |
|
Provider_Name | eq |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.