detection.wiki

Detection rules › Sublime MQL

Attachment: MSI installer file

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Recursively scans files and archives to detect MSI installer files. Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack. Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesMalware/Ransomware
Tactics and techniquesEvasion

Event coverage

Message attribute
attachments (collection)
type

Rule body MQL

type.inbound
and (
  any(attachments, .file_extension =~ "msi")
  or (
    any(attachments,
        .file_extension in~ $file_extensions_common_archives
        and any(file.explode(.), .file_extension =~ "msi")
    )
  )
)

Detection logic

Scope: inbound message.

Recursively scans files and archives to detect MSI installer files. Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack. Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host.

  1. inbound message
  2. any of:
    • any of attachments where:
      • .file_extension is 'msi'
    • any of attachments where all hold:
      • .file_extension in $file_extensions_common_archives
      • any of file.explode(.) where:
        • .file_extension is 'msi'

Inspects: attachments[].file_extension, type.inbound. Sensors: file.explode. Reference lists: $file_extensions_common_archives.

Indicators matched (2)

FieldMatchValue
attachments[].file_extensionequalsmsi
file.explode(attachments[])[].file_extensionequalsmsi