← Back to Explore
sigmamediumHunting
MSI Installation From Suspicious Locations
Detects MSI package installation from suspicious locations
Detection Query
selection:
Provider_Name: MsiInstaller
EventID:
- 1040
- 1042
Data|contains:
- :\Windows\TEMP\
- \\\\
- \Desktop\
- \PerfLogs\
- \Users\Public\
filter_winget:
Data|contains: \AppData\Local\Temp\WinGet\
filter_updhealthtools:
Data|contains: C:\Windows\TEMP\UpdHealthTools.msi
condition: selection and not 1 of filter_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-08-31
Data Sources
windowsapplication
Platforms
windows
Tags
attack.execution
Raw Content
title: MSI Installation From Suspicious Locations
id: c7c8aa1c-5aff-408e-828b-998e3620b341
status: test
description: Detects MSI package installation from suspicious locations
references:
- https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
modified: 2023-10-23
tags:
- attack.execution
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'MsiInstaller'
EventID:
- 1040
- 1042
Data|contains:
# Add more suspicious paths
- ':\Windows\TEMP\'
- '\\\\'
- '\Desktop\'
- '\PerfLogs\'
- '\Users\Public\'
# - '\AppData\Local\Temp\' # too many FPs
# - '\Downloads\' # too many FPs, typical legitimate staging directory
filter_winget:
Data|contains: '\AppData\Local\Temp\WinGet\'
filter_updhealthtools:
Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi'
condition: selection and not 1 of filter_*
falsepositives:
- False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.
level: medium