Msiexec Execution with Caret Obfuscation

Rule Info

Name
Msiexec Execution with Caret Obfuscation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of msiexec with caret (^) obfuscation in process creation events. Adversaries may use caret obfuscation to evade detection by security tools that do not parse command-line arguments correctly. It has been observed being used in various attacks to potentially bypass security measures or to obfuscate the true nature of the command being executed.
Reference
https://www.virustotal.com/gui/file/9011883354aecb42135e1793f2b7f4329e97a4df84e072769301c13fb310464e
Date
2025-05-26 00:00:00
Modified
None
Id
3e4d81a5-3fa7-49cf-93bc-1408b8ae6d5d
Tags
attack.defense-evasion attack.t1027.010 attack.t1218.007
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022