MSI Event Logs
Monitoring and Analyzing MSI Event Logs for Threat Detection
Microsoft Installer (MSI) files are a standard format for software installation on Windows systems. While they facilitate legitimate installations, attackers often exploit MSI files to distribute malware under the guise of trusted updates or applications. By analyzing MSI event logs, security analysts can distinguish between benign and malicious activities.
Key MSI Event IDs for Detection
Here are the critical MSI-related Event IDs to monitor for identifying potential malicious activities:
1. Event ID 1040 - MSI Installation/Uninstallation Start
Purpose: Logs the initiation of an MSI installation or uninstallation process.
Details:
Full Path of the MSI file.
Process ID of the installer process.
Use Case:
Detect unauthorized or unexpected MSI installations.
Example Log:
2. Event ID 11707 - MSI Installation Complete
Purpose: Logs the completion of an MSI installation or uninstallation.
Details:
Status Code indicating the result of the installation:
0: Installation succeeded.
Use Case:
Validate if the MSI installation was successful or failed.
Example Log:
3. Event ID 1033 - Validation and Installation Success
Purpose: Indicates that an MSI package was validated and installed successfully.
Details:
Product Name: Installed application name.
Product Version: Installed software version.
Manufacturer Name: Source of the MSI file.
Use Case:
Compare the Manufacturer Name against known vendors to detect suspicious or tampered MSI files.
Example Log:
4. Event ID 1034 - MSI Product Removal
Purpose: Logs the uninstallation of an MSI-installed product.
Details:
Product Name: Name of the removed application.
Use Case:
Malware often uninstalls itself after execution. Tracking removals can help uncover these activities.
Example Log:
Analyzing MSI Logs
How to View MSI Events:
Open Event Viewer.
Navigate to: Windows Logs > Application Logs.
Filter Current Log:
Select Event Source:
MsiInstaller.Apply filters for Event IDs: 1040, 11707, 1033, 1034.
Practical Detection Examples
1. Suspicious MSI Installation Path
MSI files originating from directories like Downloads or Temp may indicate malicious behavior.
Example:
2. Unexpected Manufacturer
Compare the Manufacturer Name to known vendors.
Example:
Legitimate software, such as Microsoft Teams, should display Microsoft Corporation.
3. Malware Uninstallation
Event ID 1034 logs an MSI product removal immediately after installation, suggesting potential malicious activity.
Example:
4. Installation Error Logs
Non-zero status codes in Event ID 1033 may indicate tampered or misconfigured MSI files.
Defensive Measures
Monitor MSI Installations on Critical Systems
Automate alerts for MSI-related events, particularly on servers or administrative workstations.
Correlate with Network Activity
Look for MSI installations followed by suspicious outbound connections.
Attackers may download additional payloads post-installation.
Threat Intelligence Validation
Validate MSI file URLs or hashes using threat intelligence platforms such as:
VirusTotal
AbuseIPDB
Shodan
Key Points
MSI event logs provide valuable insights into installation and uninstallation activities. By monitoring critical Event IDs (1040, 11707, 1033, 1034) and correlating them with other security data, analysts can detect and respond to potential misuse of MSI files for malicious purposes.
Integrating MSI monitoring into a SIEM system enhances real-time detection and incident response, contributing to a more robust security posture.
Last updated