Attachment: MSI installer file

name: "Attachment: MSI installer file"
description: |
  Recursively scans files and archives to detect MSI installer files.

  Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack.

  Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host.
references:
  - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"
  - "https://www.trendmicro.com/en_us/research/19/d/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts.html"
  - "https://delivr.to/payloads?id=9f7d3318-5072-4ba6-a7e2-14b4b2470a09"
  - "https://delivr.to/payloads?id=24b2db63-60f0-4948-bec4-163e038bf402"
type: "rule"
authors:
  - twitter: "ajpc500"
severity: "medium"
source: |
  type.inbound
  and (
    any(attachments, .file_extension =~ "msi")
    or (
      any(attachments,
          .file_extension in~ $file_extensions_common_archives
          and any(file.explode(.), .file_extension =~ "msi")
      )
    )
  )
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Archive analysis"
  - "File analysis"
id: "ae17b1a9-41e3-513c-9762-0c3fd30b9818"