Detect Installer Packages in CrowdStrike LogScale
Adversaries may establish persistence and elevate privileges by using an installer package to execute malicious content. Installer packages are setup utilities for applications bundled with an installer utility and can be distributed through legitimate channels. Malicious code can be embedded within installer packages to create backdoors and establish persistence. Installer utilities such as msiexec.exe (Windows MSI), macOS pkgutil, and Linux dpkg/rpm allow adversaries to run pre-install and post-install scripts. These scripts can execute arbitrary code with elevated privileges during the installation process. Additionally, malicious code within the installer can establish persistence by deploying backdoors as scheduled tasks, services, or startup items.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.016 Installer Packages
- Canonical reference
- https://attack.mitre.org/techniques/T1546/016/
LogScale Detection Query
(#event_simpleName=ProcessRollup2 OR #event_simpleName=NetworkConnectIP4)
| case {
#event_simpleName=ProcessRollup2
ParentBaseFileName=/(?i)(msiexec\.exe|installer|pkgutil|dpkg|rpm|yum|apt-get|apt|chocolatey|winget)/
(
FileName=/(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|bash|sh|python)/
OR CommandLine=/(?i)(invoke-webrequest|downloadstring|net\.webclient|-encodedcommand|certutil.{0,20}urlcache|bitsadmin.{0,20}transfer|curl.{0,30}https?:\/\/|wget.{0,30}https?:\/\/)/
)
| EventType:=if(
CommandLine=/(?i)(invoke-webrequest|downloadstring|net\.webclient|-encodedcommand)/,
"INSTALLER_DOWNLOAD_CRADLE",
if(
CommandLine=/(?i)(certutil.{0,20}urlcache|bitsadmin.{0,20}transfer)/,
"INSTALLER_ENCODED_EXECUTION",
"INSTALLER_SCRIPT_CHILD"
)
);
#event_simpleName=NetworkConnectIP4
ImageFileName=/(?i)(msiexec\.exe|installer)/
NOT RemoteAddressIP4=/^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1)/
| EventType:="INSTALLER_NETWORK_CALLBACK";
* | drop()
}
| groupBy(
[ComputerName, UserName, EventType, ParentBaseFileName, FileName, CommandLine, RemoteAddressIP4],
function=count(aid, as=EventCount)
)
| sort(EventCount, order=desc, limit=200)CrowdStrike LogScale (CQL) query detecting installer package abuse across two Falcon event types: ProcessRollup2 for installer parent processes spawning script interpreters or executing download cradles, and NetworkConnectIP4 for installer processes making outbound connections to public IPs. Events are classified into INSTALLER_DOWNLOAD_CRADLE, INSTALLER_ENCODED_EXECUTION, INSTALLER_SCRIPT_CHILD, and INSTALLER_NETWORK_CALLBACK categories.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software update mechanisms (Windows Update orchestrator, third-party auto-updaters like Zoom, Slack, or Chrome) invoking msiexec as a child process that then calls PowerShell for staged component updates
- Software packaging frameworks (WiX Toolset, NSIS, InstallShield) generating MSI wrappers that invoke cmd.exe or PowerShell for component registration, GAC assembly installation, or driver signing verification
- Corporate device enrollment workflows (Windows Autopilot, Jamf Pro) where installer packages execute PowerShell or bash to apply configuration profiles, install certificates, or join endpoint management systems
Other platforms for T1546.016
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MSI Custom Action Spawning PowerShell
Expected signal: Process creation for msiexec.exe. Subsequent process creation for powershell.exe. The parent-child relationship (msiexec -> powershell) combined with the powershell command line arguments is the detection trigger.
- Test 2Package Manager Post-Install Script with Network Call
Expected signal: Process creation for pip install. Child process for python executing setup.py post-install hook. Child process for curl with the callback URL. The pip->python->curl chain is the detection signal.
- Test 3MSI Silent Installation with Custom Action Tracking
Expected signal: Process creation for msiexec.exe or cmd.exe spawned from installer context. File creation for custom_action_test.txt. Windows Installer Application event log entries for custom action execution.
References (5)
- https://attack.mitre.org/techniques/T1546/016/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.016/T1546.016.md
- https://docs.microsoft.com/en-us/windows/win32/msi/custom-actions
- https://arstechnica.com/information-technology/2022/01/researchers-find-hundreds-of-compromised-npm-packages-stealing-data/
- https://unit42.paloaltonetworks.com/atoms/supply-chain-compromise/
Unlock Pro Content
Get the full detection package for T1546.016 including response playbook, investigation guide, and atomic red team tests.