Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sigma rules around using MSI for privilege escalation #5010

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
title: MSI repair process completed
id: 6cfd7bbd-201f-4fc6-ab23-b485c6d38af1
status: test
description: Event signaling the completion of a repair for an application installed through an MSI file; might indicate abuse of this functionality to elevate privileges using the repair process of a vulnerable MSI file
references:
- https://r.sec-consult.com/msi
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014
author: Herbert Bärschneider @SEC Consult
date: 2024-07-12
tags:
- attack.t1068
- cve.2024-38014
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'MsiInstaller'
EventID:
- 11728 # Product Configuration completed successfully
condition: selection
fields:
- SecurityUserID
falsepositives:
- legitimate use of MSI files to repair installed applications by users or administrators
# level is low, as one needs further context to identify, if this is part of malicious activity; moreover, the event can be evaded by an attacker
level: low

Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
title: Process Execution of Elevated msiexec.exe
id: 3e1ce5a2-6c4e-473b-8e55-dffcdd1ffc25
status: test
description: Execution of elevated msiexec.exe. While not malicious itself, it might be part of a chain of actions leading to privilege escalation due vulnerabilities in the used MSI installer.
references:
- https://r.sec-consult.com/msi
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014
author: Herbert Bärschneider @SEC Consult
date: 2024-07-15
tags:
- attack.t1068
- cve.2024-38014
logsource:
product: windows
category: process_creation
detection:
selection_msiexec:
Image|endswith: '\msiexec.exe'
CommandLine|contains: '/V' # this is an undocumented parameter, used by the msiexec process that actually runs the MSI actions
selection_user:
User|contains:
- 'AUTHORI'
- 'AUTORI'
LogonId: '0x3e7'
condition: selection_msiexec and selection_user
falsepositives:
- legitimate use of MSI files to repair installed applications by users or administrators
level: low

Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
title: Process Execution of Elevated OpenWith.exe
id: bd759006-f077-429e-819c-1cba0b3a13bb
status: test
description: Detects the use of OpenWith.exe with elevated privileges. While not malicious itself, it might be part of a chain of actions leading to privilege escalation, as subsequent process executions might lead to an interactive shell with elevated privileges.
references:
- https://r.sec-consult.com/msi
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014
author: Herbert Bärschneider @SEC Consult
date: 2024-07-15
tags:
- cve.2024-38014
logsource:
product: windows
category: process_creation
detection:
selection_openwith:
Image|endswith: '\OpenWith.exe'
selection_user:
User|contains:
- 'AUTHORI'
- 'AUTORI'
LogonId: '0x3e7'
condition: selection_openwith and selection_user
level: medium

Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
title: Elevated System Shell Spawned From Browser
id: d3c850ab-f715-4a72-a8b0-3223f51c0773
status: test
description: Detects elevated system shells spawned through a browser process. This might be part of a local privilege escalation using vulnerable MSI packages.
references:
- https://r.sec-consult.com/msi
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014
author: Herbert Bärschneider @SEC Consult
date: 2024-07-15
tags:
- attack.t1068
- cve.2024-38014
logsource:
product: windows
category: process_creation
detection:
selection_shell:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
selection_user:
User|contains:
- 'AUTHORI'
- 'AUTORI'
LogonId: '0x3e7'
selection_browser_parent:
ParentImage|contains:
- '\brave.exe'
- '\chrome.exe'
- '\chromium.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\msedge.exe'
- '\opera.exe'
- '\safari.exe'
- '\tor.exe'
- '\vivaldi.exe'
condition: selection_shell and selection_user and selection_browser_parent
level: high

Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
title: Process Execution of Repair Functionality of msiexec.exe
id: a83342d8-272a-43e3-b7c1-24e6c439f735
status: test
description: Execution of the repair functionality of msiexec.exe through the command line. While not malicious itself, it might be part of a chain of actions leading to privilege escalation due vulnerabilities in the used MSI installer.
references:
- https://r.sec-consult.com/msi
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014
author: Herbert Bärschneider @SEC Consult
date: 2024-07-15
tags:
- attack.t1068
- cve.2024-38014
logsource:
product: windows
category: process_creation
detection:
selection_msiexec_repair:
Image|endswith: '\msiexec.exe'
CommandLine|contains: '/f'
condition: selection_msiexec_repair
falsepositives:
- legitimate use of MSI files to repair installed applications by users or administrators
level: medium