Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
The Windows installer (msiexec.exe) was likely exploited to run a malicious rollback script (.rbs file) instead of the original.
Users should not be able to modify config.msi during the installation process, only SYSTEM should have access to it.
Attacker's Goals
An attacker is attempting to gain SYSTEM privileges.
Investigative actions
- Investigate the actor process SID and path and whether it's benign or normal for this host.
- This action is not common, but allowed on Windows versions older than Windows 8. On those systems, check the file reputation for both the CGO and OS actor executables that ran the installation.