Rework Rule Condition

rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml

@@ -4,7 +4,7 @@ description: This rule looks for Windows Installer service (msiexec.exe) trying
 status: experimental
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13
-modified: 2022/08/25
+modified: 2022/10/20
 references:
     - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
 tags:
@@ -14,19 +14,18 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    integrity_level:
-        IntegrityLevel: 'System'
-    user:
+    selection_user:
         User|contains: # covers many language settings
             - 'AUTHORI'
             - 'AUTORI'
-    image_1:
+    selection_image_1:
         Image|contains|all:
             - '\Windows\Installer\'
             - 'msi'
         Image|endswith: 'tmp'
-    image_2:
+    selection_image_2:
         Image|endswith: '\msiexec.exe'
+        IntegrityLevel: 'System'
     filter_installer:
         ParentImage: 'C:\Windows\System32\services.exe'
     filter_repair:
@@ -40,7 +39,7 @@ detection:
             - 'C:\Program Files (x86)\Avast Software\'
             - 'C:\Program Files\Google\Update\'
             - 'C:\Program Files (x86)\Google\Update\'
-    condition: ( (image_1 and user) or (image_2 and user and integrity_level) ) and not 1 of filter*
+    condition: 1 of selection_image_* and selection_user and not 1 of filter*
 fields:
     - IntegrityLevel
     - User