In a recent blog post by Mandiant, a cybersecurity firm, they highlighted the potential risks associated with third-party Windows installers. The post emphasizes how threat actors can exploit these installers to escalate privileges and gain unauthorized access to systems. This article will provide an overview of the threat, the associated MITRE ATT&CK TTPs, and best practices for securing third-party Windows installers.
MITRE ATT&CK TTPs
The exploitation of third-party Windows installers aligns with several MITRE ATT&CK TTPs, particularly those related to privilege escalation and defense evasion. Specifically, the TTP “Third-Party Software” (T1072) is relevant here. This TTP involves the exploitation of third-party software to gain access to a system or escalate privileges. In this case, the third-party software in question is the Windows installer.
Indicators of Compromise (IOCs)
- Unexpected changes in file or system configurations
- Unusual network traffic or connections to suspicious IP addresses
- Unexpected creation of new user accounts or escalation of privileges for existing accounts
- Unusual system behavior or performance issues
Understanding Third-Party Windows Installers
Third-party Windows installers are software components used to install, update, or remove software applications on Windows systems. While they are essential for managing software on Windows systems, they can also pose significant security risks if not properly secured. Threat actors can exploit vulnerabilities in these installers to gain unauthorized access to systems and escalate their privileges.
Best Practices for Securing Third-Party Windows Installers
To mitigate the risks associated with third-party Windows installers, organizations should follow these best practices:
- Update the Windows Installer version: Always use the latest version of the Windows Installer to benefit from the latest security updates and features.
- Secure the original package source files: Keep the original package source files secure and available to users. This can help prevent unauthorized modifications to the installer packages.
- Enable verbose logging: Enable verbose logging on the user’s computer when troubleshooting deployment. This can help identify any issues or potential security risks.
- Test packages for both per-user and per-machine installation deployment: This can help ensure that the installer works correctly for all users and does not introduce any security risks.
- Plan and test a servicing strategy before shipping the application: This can help ensure that updates and patches can be deployed quickly and effectively when needed.
- Avoid using the AlwaysInstallElevated policy: This policy can potentially allow non-administrative users to install software with system-level privileges, which can pose significant security risks.
By following these best practices, organizations can significantly reduce the risks associated with third-party Windows installers and enhance their overall cybersecurity posture.
Further Reading
- Privileges of Third-Party Windows Installers | Mandiant
- Third-Party Software (T1072) | MITRE ATT&CK®
- Windows Installer Best Practices | Microsoft
This analysis is based on the Mandiant blog post, MITRE ATT&CK®, and Microsoft’s guide on Windows Installer best practices.