sigmaDRL-1.1from SigmaHQ/sigma

Suspicious MsiExec Embedding Parent

Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1218.007

Rule sourcerules/windows/process_creation/proc_creation_win_msiexec_embedding.yml

title: Suspicious MsiExec Embedding Parent
id: 4a2a2c3e-209f-4d01-b513-4155a540b469
status: test
description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-04-16
modified: 2022-07-14
tags:
    - attack.t1218.007
    - attack.defense-evasion
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        ParentCommandLine|contains|all:
            - 'MsiExec.exe'
            - '-Embedding '
    filter_splunk_ufw:
        Image|endswith: ':\Windows\System32\cmd.exe'
        CommandLine|contains: 'C:\Program Files\SplunkUniversalForwarder\bin\'
    filter_vs:
        - CommandLine|contains: '\DismFoDInstall.cmd'
        - ParentCommandLine|contains|all:
              - '\MsiExec.exe -Embedding '
              - 'Global\MSI0000'
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: medium