« Persistence via WMI Standard Registry Provider Persistent Scripts in the Startup Directory »
Elastic Docs Elastic Security Solution [8.16] Detections and alerts Prebuilt rule reference

Persistence via a Windows Installer

edit

Persistence via a Windows Installer

edit

Identifies when the Windows installer process msiexec.exe creates a new persistence entry via scheduled tasks or startup.

Rule type: eql

Rule indices:

  • logs-endpoint.events.registry-*
  • logs-endpoint.events.file-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Tactic: Defense Evasion
  • Data Source: Elastic Defend

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
any where host.os.type == "windows" and
 (process.name : "msiexec.exe" or Effective_process.name : "msiexec.exe") and
 (
  (event.category == "file" and event.action == "creation" and
   file.path : ("?:\\Windows\\System32\\Tasks\\*",
                "?:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\*",
                "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*")) or

  (event.category == "registry" and event.action == "modification" and
   registry.path : ("H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
                    "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
                    "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
                    "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*"))
  )

Framework: MITRE ATT&CKTM

« Persistence via WMI Standard Registry Provider Persistent Scripts in the Startup Directory »