From 0a1c600d7dc779fc4f146fbbfa465ab54c01125f Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 10 Feb 2018 15:25:08 +0100
Subject: [PATCH] Rule: Changed msiexec web install rule

---
 rules/windows/builtin/win_susp_msiexec_web_install.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_susp_msiexec_web_install.yml b/rules/windows/builtin/win_susp_msiexec_web_install.yml
index bf756781b..880591fc6 100644
--- a/rules/windows/builtin/win_susp_msiexec_web_install.yml
+++ b/rules/windows/builtin/win_susp_msiexec_web_install.yml
@@ -10,7 +10,7 @@ date: 2018/02/09
 detection:
     selection:
         CommandLine: 
-            - '* msiexec* /q *http*'
+            - '* msiexec*:\/\/*'
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment