Rule: Unexpected MSI Installation from User Directory Spawning consent.exe
Bumblee Bee Initiailaccess
Query
// Detect MSI installers launched from user-writable paths spawning consent.exe
DeviceProcessEvents
| where FileName =~ "msiexec.exe"
| where InitiatingProcessFolderPath has_any (
"\\Users\\", "\\ProgramData\\", "\\Desktop\\", "\\Downloads\\", "\\AppData\\"
)
| where InitiatingProcessCommandLine has_any (".msi", "/i", "/qn")
| join kind=inner (
DeviceProcessEvents
| where FileName =~ "consent.exe"
) on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName,
InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine,
FileName, FolderPath, ReportIdAbout this query
Explanation
This query is designed to detect potentially malicious activity involving MSI installers on a Windows system. Here's a simplified explanation:
-
Purpose: The query looks for suspicious MSI installer activities that could indicate a security threat, specifically focusing on MSI files executed from directories where users can write files, like
Downloads,Desktop,AppData, orProgramData. -
Suspicious Behavior: It targets MSI installers that start from these user-writable directories and then launch the
consent.exeprocess. This is unusual for legitimate software installations and could suggest malicious intent. -
Context: This behavior is often linked to malware, such as the Bumblebee loader, which uses these techniques to bypass security measures like User Account Control (UAC) and to execute malicious code stealthily.
-
Detection Method:
- The query monitors process creation events for
msiexec.exe(the MSI installer executable) that originate from the specified directories. - It checks if these processes subsequently trigger
consent.exe, a process not typically associated with standard installations. - It flags MSI files that are unsigned or unknown, especially if they perform additional suspicious actions like loading specific DLLs (e.g.,
msimg32.dll).
- The query monitors process creation events for
-
Relevance: This detection is important for identifying early stages of a potential attack, where malware might be trying to gain initial access or persist on a system by exploiting MSI installations.
-
Tags and Techniques: The query is associated with various security concepts like initial access, execution, and defense evasion, and it aligns with specific MITRE ATT&CK techniques related to malicious file execution and DLL side-loading.
Overall, the query helps security teams identify and investigate suspicious MSI installer activities that could indicate a malware infection or other security threats.
