Merge pull request #2749 from redsand/fp_msiexec

Filters false positive from msiexec.exe

rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml

@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth
 date: 2022/01/13
-modified: 2022/01/27
+modified: 2022/02/25
 logsource:
     category: process_creation
     product: windows
@@ -21,6 +21,9 @@ detection:
     filter_iexplorer:
         ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe'
         CommandLine|contains: '.cpl'
+    filter_msiexec:
+        ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe'
+        CommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding'
     condition: selection and not 1 of filter*
 fields:
     - Image