frack113
29 lines
818 B
YAML
29 lines
818 B
YAML
title: MSI Installation From Web
|
|
id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
|
|
status: experimental
|
|
description: Detects installation of a remote msi file from web.
|
|
references:
|
|
- https://twitter.com/_st0pp3r_/status/1583922009842802689
|
|
author: Stamatis Chatzimangou
|
|
date: 2022/10/23
|
|
modified: 2022/10/23
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1218
|
|
- attack.t1218.007
|
|
logsource:
|
|
product: windows
|
|
service: application
|
|
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
|
|
detection:
|
|
selection:
|
|
Provider_Name: 'MsiInstaller'
|
|
EventID:
|
|
- 1040
|
|
- 1042
|
|
Data|contains: '://'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|