Detectionmediumtest

Always Install Elevated Windows Installer

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Teymur Kheirkhabarov, Mangatas Tondang, oscd.communityCreated Tue Oct 13Updated Sun Dec 01cd951fdc-4b2f-47f5-ba99-a33bf61e3770windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_image_1:
        Image|contains|all:
            - '\Windows\Installer\'
            - 'msi'
        Image|endswith: 'tmp'
    selection_image_2:
        Image|endswith: '\msiexec.exe'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    filter_installer:
        ParentImage: 'C:\Windows\System32\services.exe'
    filter_repair:
        - CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
        - ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
    filter_sophos:
        ParentImage|startswith: 'C:\ProgramData\Sophos\'
    filter_avira:
        ParentImage|startswith: 'C:\ProgramData\Avira\'
    filter_avast:
        ParentImage|startswith:
            - 'C:\Program Files\Avast Software\'
            - 'C:\Program Files (x86)\Avast Software\'
    filter_google_update:
        ParentImage|startswith:
            - 'C:\Program Files\Google\Update\'
            - 'C:\Program Files (x86)\Google\Update\'
    condition: 1 of selection_image_* and selection_user and not 1 of filter_*