Skip to content

Commit

Permalink
fix: NSIS install using $TEMP are flags matching rules
Browse files Browse the repository at this point in the history 
eg:
https://www.virustotal.com/gui/file/2ed7c8bbdb728a53354849f2801a05dd9719ffe7984002d0cc1dbc5c17696b66
Matches rule Suspicious Volume Shadow Copy Vsstrace.dll Load by frack113 at Sigma Integrated Rule Set (GitHub)

NSIS $TEMP is used like this:

'$TEMP\vc_redist.x64.exe /install /quiet /norestart'

Ideally, the exe to install should be signed by Microsoft from theses directories.
So the rule should check if it is signed from Microsoft.
  • Loading branch information
@Ti-R
Ti-R committed Jan 3, 2025
1 parent fa68da9 commit 4b0a5fe
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ references:
- https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2023-02-17
modified: 2023-03-28
modified: 2025-01-01
tags:
- attack.defense-evasion
- attack.impact
Expand All @@ -31,6 +31,7 @@ detection:
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\Temp\{' # Installers
- 'C:\Windows\WinSxS\'
- 'C:\ProgramData\Package Cache\{' # NSIS "$TEMP" var Installers
filter_program_files:
# When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
Image|startswith:
Expand Down

0 comments on commit 4b0a5fe

Please sign in to comment.