From a4e6b3003f4660606e9fa0f65bfb977c49ef1a18 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 9 Feb 2018 10:13:20 +0100
Subject: [PATCH] Rule: Msiexec web install

---
 .../builtin/win_susp_msiexec_web_install.yml  | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 rules/windows/builtin/win_susp_msiexec_web_install.yml

diff --git a/rules/windows/builtin/win_susp_msiexec_web_install.yml b/rules/windows/builtin/win_susp_msiexec_web_install.yml
new file mode 100644
index 000000000..bf756781b
--- /dev/null
+++ b/rules/windows/builtin/win_susp_msiexec_web_install.yml
@@ -0,0 +1,32 @@
+---
+action: global
+title: MsiExec Web Install
+status: experimental
+description: Detects suspicious msiexec proess starts with web addreses as parameter
+references:
+    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
+author: Florian Roth
+date: 2018/02/09
+detection:
+    selection:
+        CommandLine: 
+            - '* msiexec* /q *http*'
+    condition: selection
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688