Detect Installer Packages in Google Chronicle
Adversaries may establish persistence and elevate privileges by using an installer package to execute malicious content. Installer packages are setup utilities for applications bundled with an installer utility and can be distributed through legitimate channels. Malicious code can be embedded within installer packages to create backdoors and establish persistence. Installer utilities such as msiexec.exe (Windows MSI), macOS pkgutil, and Linux dpkg/rpm allow adversaries to run pre-install and post-install scripts. These scripts can execute arbitrary code with elevated privileges during the installation process. Additionally, malicious code within the installer can establish persistence by deploying backdoors as scheduled tasks, services, or startup items.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.016 Installer Packages
- Canonical reference
- https://attack.mitre.org/techniques/T1546/016/
YARA-L Detection Query
rule T1546_016_installer_package_persistence {
meta:
author = "Argus Detection Engineering"
description = "Detects installer packages (msiexec, dpkg, rpm, pkgutil, apt, chocolatey, winget) spawning script interpreters or executing download cradle commands — T1546.016 Installer Package Persistence and Privilege Escalation"
mitre_attack_technique = "T1546.016"
mitre_attack_tactic = "Persistence, Privilege Escalation"
severity = "HIGH"
confidence = "MEDIUM"
created = "2026-04-20"
reference = "https://attack.mitre.org/techniques/T1546/016/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
re.regex(
$e.principal.process.file.full_path,
`(?i)(msiexec\.exe|/installer|pkgutil|/dpkg|/rpm|/yum|apt-get|/apt\b|chocolatey|winget)`
)
(
re.regex(
$e.target.process.file.full_path,
`(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|/bash|/sh$|python3?$)`
)
or
re.regex(
$e.target.process.command_line,
`(?i)(invoke-webrequest|downloadstring|net\.webclient|-encodedcommand|certutil.{0,20}urlcache|bitsadmin.{0,20}transfer|curl.{0,30}https?://|wget.{0,30}https?://)`
)
)
$hostname = $e.principal.hostname
condition:
$e
}Chronicle YARA-L 2.0 rule detecting installer package parent processes spawning script interpreters or executing download cradle commands via UDM PROCESS_LAUNCH events. Matches msiexec, dpkg, rpm, pkgutil, apt, chocolatey, and winget spawning PowerShell, cmd, wscript, mshta, certutil, bash, or python with or without suspicious command-line patterns.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise application installers (SAP Business One, Oracle Database, Salesforce DX) that use PowerShell custom actions for elevated post-install configuration tasks such as IIS module registration or COM component activation
- IT automation platforms (Ansible Windows WinRM modules, Puppet Bolt) driving MSI deployments that chain into PowerShell for environment setup or registry key configuration
- Developer toolchain installers (Python Anaconda, Node.js, .NET SDK, Android SDK) executing shell scripts or cmd.exe to configure PATH, JAVA_HOME, and other system-wide environment variables
Other platforms for T1546.016
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MSI Custom Action Spawning PowerShell
Expected signal: Process creation for msiexec.exe. Subsequent process creation for powershell.exe. The parent-child relationship (msiexec -> powershell) combined with the powershell command line arguments is the detection trigger.
- Test 2Package Manager Post-Install Script with Network Call
Expected signal: Process creation for pip install. Child process for python executing setup.py post-install hook. Child process for curl with the callback URL. The pip->python->curl chain is the detection signal.
- Test 3MSI Silent Installation with Custom Action Tracking
Expected signal: Process creation for msiexec.exe or cmd.exe spawned from installer context. File creation for custom_action_test.txt. Windows Installer Application event log entries for custom action execution.
References (5)
- https://attack.mitre.org/techniques/T1546/016/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.016/T1546.016.md
- https://docs.microsoft.com/en-us/windows/win32/msi/custom-actions
- https://arstechnica.com/information-technology/2022/01/researchers-find-hundreds-of-compromised-npm-packages-stealing-data/
- https://unit42.paloaltonetworks.com/atoms/supply-chain-compromise/
Unlock Pro Content
Get the full detection package for T1546.016 including response playbook, investigation guide, and atomic red team tests.