← Back to Explore
splunk_escuTTP
Windows MSI Rollback Script Deleted By Non-Msiexec Process
Detects deletion of a Rollback Script (.rbs) file under C:\Config.Msi, the critical filesystem manipulation step in an MSI Rollback privilege escalation attack that converts an arbitrary file delete primitive into full SYSTEM code execution. During a legitimate MSI installation, the Windows Installer service (running as SYSTEM) creates C:\Config.Msi and populates it with a Rollback Script (.rbs) and Rollback File (.rbf). These files define exactly how to restore the system to its pre-installation state if the install fails. The folder is protected with a strong DACL specifically to prevent tampering by low-privileged users — because whatever is in these files will be executed by the SYSTEM-level Installer service during rollback.
Detection Query
`sysmon`
EventID=23
TargetFilename="*:\\Config.Msi\\*"
TargetFilename="*.rbs"
NOT ProcessName="msiexec.exe"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer ProcessName TargetFilename EventID action dest dvc file_path file_hash
file_name file_modify_time process_exec process_guid process_id process_name
process_path signature signature_id user user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_msi_rollback_script_deleted_by_non_msiexec_process_filter`Author
Raven Tait, Splunk
Data Sources
Sysmon EventID 23
References
Raw Content
name: Windows MSI Rollback Script Deleted By Non-Msiexec Process
id: 6ec7cbda-9547-4f6b-8a00-d1fb4b52c1e9
version: 2
creation_date: '2026-05-05'
modification_date: '2026-05-13'
author: Raven Tait, Splunk
status: production
type: TTP
description: |-
Detects deletion of a Rollback Script (.rbs) file under C:\Config.Msi, the critical filesystem manipulation step in an MSI Rollback privilege escalation attack that converts an arbitrary file delete primitive into full SYSTEM code execution.
During a legitimate MSI installation, the Windows Installer service (running as SYSTEM) creates C:\Config.Msi and populates it with a Rollback Script (.rbs) and Rollback File (.rbf).
These files define exactly how to restore the system to its pre-installation state if the install fails.
The folder is protected with a strong DACL specifically to prevent tampering by low-privileged users — because whatever is in these files will be executed by the SYSTEM-level Installer service during rollback.
data_source:
- Sysmon EventID 23
search: |-
`sysmon`
EventID=23
TargetFilename="*:\\Config.Msi\\*"
TargetFilename="*.rbs"
NOT ProcessName="msiexec.exe"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer ProcessName TargetFilename EventID action dest dvc file_path file_hash
file_name file_modify_time process_exec process_guid process_id process_name
process_path signature signature_id user user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_msi_rollback_script_deleted_by_non_msiexec_process_filter`
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: Some legitimate system cleanup or MSI uninstallation processes may delete rbs files under c:\Config.Msi. Verify events with approved maintenance activities to reduce false alarms.
references:
- https://github.com/mbog14/CVE-2024-44193
drilldown_searches:
- earliest_offset: $info_min_time$
latest_offset: $info_max_time$
name: View the detection results for - "$user$" and "$dest$"
search: '%original_detection_search% | search user = "$user$" dest = "$dest$"'
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: MSI rollback script file $TargetFilename$ was deleted on $dest$ by $ProcessName$.
entity:
field: dest
type: system
score: 50
threat_objects:
- field: TargetFilename
type: file_path
analytic_story:
- Windows Privilege Escalation
asset_type: Endpoint
mitre_attack_id:
- T1218.007
- T1068
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/snapattack/snapattack.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
test_type: unit