sigmamediumHunting

MSI Installation From Web

Detects installation of a remote msi file from web.

MITRE ATT&CK

defense-evasion

Detection Query

selection:
  Provider_Name: MsiInstaller
  EventID:
    - 1040
    - 1042
  Data|contains: ://
condition: selection

Author

Stamatis Chatzimangou

Created

2022-10-23

Data Sources

windowsapplication

Platforms

windows

References

https://twitter.com/_st0pp3r_/status/1583922009842802689

Tags

attack.defense-evasionattack.t1218attack.t1218.007

Raw Content

title: MSI Installation From Web
id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
status: test
description: Detects installation of a remote msi file from web.
references:
    - https://twitter.com/_st0pp3r_/status/1583922009842802689
author: Stamatis Chatzimangou
date: 2022-10-23
tags:
    - attack.defense-evasion
    - attack.t1218
    - attack.t1218.007
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'MsiInstaller'
        EventID:
            - 1040
            - 1042
        Data|contains: '://'
    condition: selection
falsepositives:
    - Unknown
level: medium