Executable Installer File Permissions Weakness

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has "\\Temp\\"
| where FileName endswith ".exe"
| where InitiatingProcessFileName in~ ("msiexec.exe", "setup.exe", "install.exe", "installer.exe", "update.exe")
    or InitiatingProcessFileName contains "setup"
    or InitiatingProcessFileName contains "install"
| join kind=leftouter (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileModified"
    | where FileName endswith ".exe" or FileName endswith ".dll"
    | where FolderPath has "\\Temp\\"
    | project DeviceId, ModifiedFile=FileName, ModifiedPath=FolderPath, ModifyTime=Timestamp, ModifyingProcess=InitiatingProcessFileName
) on DeviceId
| where ModifyTime between ((Timestamp - 5m) .. Timestamp)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, ModifiedFile, ModifiedPath, ModifyingProcess
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval event_type=case(
    EventCode=1, "process",
    EventCode=11, "file_create",
    true(), "other")
| where event_type in ("process", "file_create")
| eval temp_path=if(event_type="process",
    if(match(lower(Image), "\\\\temp\\\\"), 1, 0),
    if(match(lower(TargetFilename), "\\\\temp\\\\"), 1, 0))
| where temp_path=1
| eval is_installer=if(event_type="process" AND match(lower(Image), "(setup|install|msiexec|update)"), 1, 0)
| eval is_binary=if(event_type="file_create" AND match(TargetFilename, "(\.exe|\.dll)$"), 1, 0)
| stats values(event_type) as types, values(Image) as processes, values(TargetFilename) as files by host, span(_time, 10m)
| where mvcount(types) > 1 AND mvcount(files) > 0
| sort - _time

sequence by process.entity_id with maxspan=10m
  [file where event.type == "change" and file.name : ("*.exe", "*.dll") and file.path : "*\\Temp\\*"
   and not user.name : ("SYSTEM", "TrustedInstaller")]
  [process where event.type == "start" and process.executable : "*\\Temp\\*"
   and process.parent.name : ("msiexec.exe", "setup.exe", "install.exe")]

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "CommandLine", "Image" AS ProcessImage,
  "TargetFilename" AS ModifiedFile,
  CASE
    WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
    WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
    WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
    ELSE 'Suspicious File Activity'
  END AS AlertType
FROM events
WHERE eventid IN (1, 11)
  AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
  AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
  AND username NOT ILIKE '%SYSTEM%'
  AND username NOT ILIKE '%TrustedInstaller%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

_sourceCategory=*sysmon*
| json auto
| where EventCode in ("1","11")
| eval FilePath = if(EventCode = "1", Image, TargetFilename)
| where matches(lower(FilePath), "\\temp\\")
| where matches(lower(FilePath), "(\.exe|\.dll)$")
| eval IsInstaller = if(EventCode = "1" and matches(lower(Image), "(setup|install|msiexec|update)"), "true", "false")
| eval IsBinaryCreate = if(EventCode = "11", "true", "false")
| where User != "NT AUTHORITY\SYSTEM" and !isNull(User)
| eval RiskScore = if(IsInstaller = "true" or IsBinaryCreate = "true", 75, 40)
| stats values(EventCode) AS EventTypes, values(FilePath) AS Files, count AS EventCount by _sourceHost, User, _timeslice 10m
| where EventCount > 1
| sort by EventCount desc

rule T1574_005_hijack_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects execution flow hijacking via installer or DLL path manipulation"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1574.005"
    reference = "https://attack.mitre.org/techniques/T1574/005/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)\\temp\\.*\.exe`) or
      re.regex($e.target.process.file.full_path, `(?i)\\appdata\\.*\.exe`)
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|trustedinstaller|wusa|dpinst)`)
    not $e.principal.user.user_display_name = "SYSTEM"

  condition:
    $e
}

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)\\temp\\.*\.exe/
| ParentBaseFileName != /(?i)(msiexec|trustedinstaller|wusa|dpinst|svchost)/
| UserName != "SYSTEM"
| UserName != ""
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, UserName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)\\temp\\/i AND ParentBaseFileName = /(?i)(setup|install|update)/ => RiskScore := "High";
    ImageFileName = /(?i)\\temp\\/i => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ComputerName, UserName, ImageFileName, ParentBaseFileName, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)