Detectionmediumtest

Suspicious Msiexec Execute Arbitrary DLL

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sun Jan 16Updated Wed Mar 136f4191bb-912b-48a8-9ce7-682769541e6dwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\msiexec.exe'
        CommandLine|contains|windash: ' -y'
    filter_apple:
        CommandLine|contains:
            - '\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll'
            - '\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll'
            - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll'
            - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll'
            - '\MsiExec.exe" /Y "C:\Windows\CCM\'
            - '\MsiExec.exe" /Y C:\Windows\CCM\' # also need non-quoted execution
            - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll'
            - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll'
            - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll'
            - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll'
            - '\MsiExec.exe" -Y "C:\Windows\CCM\'
            - '\MsiExec.exe" -Y C:\Windows\CCM\' # also need non-quoted execution
    condition: selection and not 1 of filter_*