Query Details

Rule: Unexpected MSI Installation from User Directory Spawning consent.exe

Bumblee Bee Initiailaccess

Query

// Detect MSI installers launched from user-writable paths spawning consent.exe
DeviceProcessEvents
| where FileName =~ "msiexec.exe"
| where InitiatingProcessFolderPath has_any (
    "\\Users\\", "\\ProgramData\\", "\\Desktop\\", "\\Downloads\\", "\\AppData\\"
)
| where InitiatingProcessCommandLine has_any (".msi", "/i", "/qn")
| join kind=inner (
    DeviceProcessEvents
    | where FileName =~ "consent.exe"
) on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName,
          InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine,
          FileName, FolderPath, ReportId

About this query

Explanation

This query is designed to detect potentially malicious activity involving MSI installers on a Windows system. Here's a simplified explanation:

  1. Purpose: The query looks for suspicious MSI installer activities that could indicate a security threat, specifically focusing on MSI files executed from directories where users can write files, like Downloads, Desktop, AppData, or ProgramData.

  2. Suspicious Behavior: It targets MSI installers that start from these user-writable directories and then launch the consent.exe process. This is unusual for legitimate software installations and could suggest malicious intent.

  3. Context: This behavior is often linked to malware, such as the Bumblebee loader, which uses these techniques to bypass security measures like User Account Control (UAC) and to execute malicious code stealthily.

  4. Detection Method:

    • The query monitors process creation events for msiexec.exe (the MSI installer executable) that originate from the specified directories.
    • It checks if these processes subsequently trigger consent.exe, a process not typically associated with standard installations.
    • It flags MSI files that are unsigned or unknown, especially if they perform additional suspicious actions like loading specific DLLs (e.g., msimg32.dll).
  5. Relevance: This detection is important for identifying early stages of a potential attack, where malware might be trying to gain initial access or persist on a system by exploiting MSI installations.

  6. Tags and Techniques: The query is associated with various security concepts like initial access, execution, and defense evasion, and it aligns with specific MITRE ATT&CK techniques related to malicious file execution and DLL side-loading.

Overall, the query helps security teams identify and investigate suspicious MSI installer activities that could indicate a malware infection or other security threats.

Details

Ali Hussein profile picture

Ali Hussein

Released: November 10, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

=~has_anyjoin kind=inneronproject

MITRE Techniques

Actions

GitHub