Detection: Windows System Binary Proxy Execution MSIExec Unregister DLL

Date: 2022-08-31 ID: df76a8d1-92e1-4ec9-b8f7-695b5838703e Author: Michael Haag, Splunk Type: TTP Product: Splunk User Behavior Analytics

Description

The following analytic identifies the usage of msiexec.exe using the /z switch parameter, which grants the ability for msiexec to unload DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review.

Annotations

No annotations available.

Implementation

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Known False Positives

False positives may be present, filter by destination or parent process as needed.

Associated Analytic Story

Windows System Binary Proxy Execution MSIExec

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
An instance of spawning $process_file_name$ was identified on endpoint $device_hostname$ by user $actor_user_name$ attempting to unregister a DLL.	35	70	50

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Version: 4