KQL Search

Query Details

HomeAI ToolsDevice Query

Bumblee Bee Initiailaccess

Query

# Rule: Unexpected MSI Installation from User Directory Spawning consent.exe

## Description
This rule detects suspicious **MSI installer executions** launched from **user-writable directories** such as `Downloads`, `Desktop`, `AppData`, or `ProgramData`, that subsequently spawn the **`consent.exe`** process.

This behavior is commonly associated with **malicious MSI-based loaders** (e.g., *Bumblebee*) that abuse Windows’ User Account Control (UAC) mechanisms and DLL side-loading for stealth execution and persistence.

In *The DFIR Report* case study *“From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira”* (August 2025), a trojanized installer (`ManageEngine-OpManager.msi`) executed legitimate software while side-loading a malicious `msimg32.dll` via `consent.exe`. This detection aims to identify similar initial access and execution behaviors.

- **Source:** [The DFIR Report — From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira](https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/)

## Detection Logic
- Monitor process creation events where `msiexec.exe` is executed from **non-standard user paths**, such as:
  - `C:\Users\*\Downloads\*`
  - `C:\Users\*\Desktop\*`
  - `C:\ProgramData\*`
  - `C:\Users\*\AppData\*`
and  spawns **`consent.exe`**, which is uncommon for legitimate installers.
- Flag unsigned or unknown MSI installers that perform secondary executions or DLL loads (`msimg32.dll` or similar).

## Tags
- Initial Access  
- Execution  
- Defense Evasion  
- MSI Abuse  
- DLL Side-Loading  
- Bumblebee Loader  
- MITRE ATT&CK:  
  - **T1204.002** – User Execution: Malicious File  
  - **T1574.002** – Hijack Execution Flow: DLL Side-Loading  

## Search Query
```kql
// Detect MSI installers launched from user-writable paths spawning consent.exe
DeviceProcessEvents
| where FileName =~ "msiexec.exe"
| where InitiatingProcessFolderPath has_any (
    "\\Users\\", "\\ProgramData\\", "\\Desktop\\", "\\Downloads\\", "\\AppData\\"
)
| where InitiatingProcessCommandLine has_any (".msi", "/i", "/qn")
| join kind=inner (
    DeviceProcessEvents
    | where FileName =~ "consent.exe"
) on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName,
          InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine,
          FileName, FolderPath, ReportId

Explanation

This query is designed to detect potentially malicious activity involving MSI installers on a Windows system. Here's a simplified explanation:

  1. Purpose: The query looks for suspicious MSI installer activities that could indicate a security threat, specifically focusing on MSI files executed from directories where users can write files, like Downloads, Desktop, AppData, or ProgramData.

  2. Suspicious Behavior: It targets MSI installers that start from these user-writable directories and then launch the consent.exe process. This is unusual for legitimate software installations and could suggest malicious intent.

  3. Context: This behavior is often linked to malware, such as the Bumblebee loader, which uses these techniques to bypass security measures like User Account Control (UAC) and to execute malicious code stealthily.

  4. Detection Method:

    • The query monitors process creation events for msiexec.exe (the MSI installer executable) that originate from the specified directories.
    • It checks if these processes subsequently trigger consent.exe, a process not typically associated with standard installations.
    • It flags MSI files that are unsigned or unknown, especially if they perform additional suspicious actions like loading specific DLLs (e.g., msimg32.dll).

  5. Relevance: This detection is important for identifying early stages of a potential attack, where malware might be trying to gain initial access or persist on a system by exploiting MSI installations.

  6. Tags and Techniques: The query is associated with various security concepts like initial access, execution, and defense evasion, and it aligns with specific MITRE ATT&CK techniques related to malicious file execution and DLL side-loading.

Overall, the query helps security teams identify and investigate suspicious MSI installer activities that could indicate a malware infection or other security threats.

Details

Ali Hussein profile picture

Ali Hussein

Released: November 10, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

=~has_anyjoin kind=inneronproject

Actions