Detectionmediumtest

MSI Installation From Web

Detects installation of a remote msi file from web.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Stamatis ChatzimangouCreated Sun Oct 235594e67a-7f92-4a04-b65d-1a42fd824a60windows

Log Source

Windowsapplication

ProductWindows← raw: windows

Serviceapplication← raw: application

Detection Logic

detection:
    selection:
        Provider_Name: 'MsiInstaller'
        EventID:
            - 1040
            - 1042
        Data|contains: '://'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Sub-techniques

T1218.007 · Msiexec

Rule Metadata

Rule ID

5594e67a-7f92-4a04-b65d-1a42fd824a60

Status

test

Level

medium

Type

Detection

Created

Sun Oct 23

Author

Stamatis Chatzimangou

Path

rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml

Raw Tags

attack.defense-evasionattack.t1218attack.t1218.007

View on GitHub