Detection rules › Splunk
MSI Installation via Appcert (Windows Event Log)
An MSI file is a Microsoft Installer package used for installing software on Windows systems. Typically, .msi files are installed by msiexec.exe; AppCert.exe is a component of the Windows Application Compatibility Toolkit used primarily for application compatibility testing and can be used to install MSI files, but this is not normal usage for appcert. Threat actors may use appcert to install malicious MSI files in an attempt to evade detection. This use case detects appcert executions with commands to install an msi file
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1218.007 System Binary Proxy Execution: Msiexec |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '35191.61837'
title: MSI Installation via Appcert
description: An MSI file is a Microsoft Installer package used for installing software
on Windows systems. Typically, .msi files are installed by msiexec.exe; AppCert.exe
is a component of the Windows Application Compatibility Toolkit used primarily for
application compatibility testing and can be used to install MSI files, but this
is not normal usage for appcert. Threat actors may use appcert to install malicious
MSI files in an attempt to evade detection. This use case detects appcert executions
with commands to install an msi file. Living Off the Land Binary and Scripts (LOLBAS)
(LOLBIN)
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process)(TERM(appcert) OR "appcert.exe") TERM(test) "-setupcommandline"
| regex process="(?i)\stest\s.+\-setupcommandline" | table _time, host, user, process,
parent_*, process_*, proxy_exec | bin span=1s | stats values(*) as * by _time, host '
techniques:
- defense-evasion:system binary proxy execution:msiexec
technique_id:
- T1218.007
data_category:
- Process command-line parameters
- Windows event logs
references:
- https://attack.mitre.org/techniques/T1127/
- https://attack.mitre.org/techniques/T1218/007/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appcert/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process)(TERM(appcert) OR "appcert.exe") TERM(test) "-setupcommandline"
Stage 2: regex
| regex process="(?i)\stest\s.+\-setupcommandline"
Stage 3: table
| table _time, host, user, process, parent_*, process_*, proxy_exec
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | TERM |
| 1 | appcert |
| 1 | "appcert.exe" |
| 1 | TERM |
| 1 | test |
| 1 | "-setupcommandline" |