LoFP LoFP / false positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. a baseline is required before production use.

Techniques

Sample rules

MSI Installation From Suspicious Locations

Description

Detects MSI package installation from suspicious locations

Detection logic

condition: selection and not 1 of filter_*
filter_updhealthtools:
  Data|contains: C:\Windows\TEMP\UpdHealthTools.msi
filter_winget:
  Data|contains: \AppData\Local\Temp\WinGet\
selection:
  Data|contains:
  - :\Windows\TEMP\
  - \\\\
  - \Desktop\
  - \PerfLogs\
  - \Users\Public\
  EventID:
  - 1040
  - 1042
  Provider_Name: MsiInstaller