detection.wiki

Event Triggered Execution: Installer Packages T1546.016

Tactics: Privilege Escalation, Persistence

Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.

Authoring guide

Patterns shared across the 9 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (14 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventType9eq 4, in 4, ne 1exec, creation, rename, ProcessRollup2, connection_attempted
host.os.type9eq 9
event.type6eq 6start
process.args5eq 2, in 2, ne 1, starts_with 1, wildcard 1--install, -c, -i, /Users/, /Volumes/
process_name5in 3, eq 2, wildcard 1bash, csh, awk, cp, dash
TargetFilename4starts_with 2, wildcard 2/etc/apt/apt.conf.d/, /etc/dnf/plugins/*, /etc/yum/pluginconf.d/, /library/containers/*, /library/fonts/*
Image3ne 2, starts_with 1/usr/bin/apt-listbugs, /usr/lib/venv-salt-minion/bin/python.original, /var/lib/dpkg/info/
event.category2eq 2process
parent_process_name2eq 2apt
file.Ext.header_bytes1starts_with 1cafebabe, cffaedfe
file.extension1in 1app, command, dmg
file.name1ne 1CodeResources
process.group_leader.name1is_not_null 1
process.session_leader.name1is_not_null 1

Top indicator values (85 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
6606
EventTypeeq
exec
4171
EventTypeeq
connection_attempted
125
EventTypein
creation
323
EventTypein
rename
318
EventTypein
ProcessRollup2
1117
EventTypein
exec
1171
EventTypein
start
1134
process_namein
bash
388
process_namein
sh
383
process_namein
zsh
382
process_namein
csh
271
process_namein
dash
278
process_namein
fish
272
process_namein
ksh
273
process_namein
tcsh
269
event.categoryeq
process
2128
parent_process_nameeq
apt
22
process.argseq
-c
230
process.argsin
--install
23
process.argsin
-i
25
EventTypene
deletion
111
Imagene
/usr/bin/apt-listbugs
1
Imagene
/usr/lib/venv-salt-minion/bin/python.original
1
Imagestarts_with
/var/lib/dpkg/info/
1
TargetFilenamestarts_with
/etc/apt/apt.conf.d/
1
TargetFilenamestarts_with
/etc/yum/pluginconf.d/
1
TargetFilenamestarts_with
/usr/lib/yum-plugins/
1
TargetFilenamewildcard
/etc/dnf/plugins/*
1
TargetFilenamewildcard
/library/containers/*
1

Exclusions (171 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Imagein
./usr/bin/podman
3
Imagein
/bin/autossl_check
3
Imagein
/bin/chef-client
3
Imagein
/bin/dnf
3
Imagein
/bin/dnf-automatic
3
Imagein
/bin/dockerd
3
Imagein
/bin/microdnf
3
Imagein
/bin/podman
3
Imagein
/bin/puppet
3
Imagein
/bin/rpm
3
Imagein
/bin/snapd
3
Imagein
/bin/yum
3
Imagein
/opt/puppetlabs/puppet/bin/puppet
3
Imagein
/proc/self/exe
3
Imagein
/sbin/apk
3

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Elastic 9 rules