PowerShell MSI Install via WindowsInstaller COM From Remote Location

Rule Info

Name
PowerShell MSI Install via WindowsInstaller COM From Remote Location
Author
Meroujan Antonyan (vx3r)
Description
Detects the execution of PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
Reference
https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
Date
2025-06-05 00:00:00
Modified
None
Id
222720a7-047f-4054-baa5-bab9be757db0
Tags
attack.execution attack.t1059.001 attack.defense-evasion attack.t1218 attack.command-and-control attack.t1105
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=222720a7-047f-4054-baa5-bab9be757db0

Rule History

Author
Title
Date
Commit
vx3r
Merge PR #5466 from @vx3r - PowerShell MSI Install via WindowsInstaller COM From Remote Location
2025-06-25
b12a3fcbd
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022