From 4b0a5fee01f350d08737f49110f481048d70f3bb Mon Sep 17 00:00:00 2001
From: Renan Lavarec <renan.lavarec@ti-r.com>
Date: Fri, 3 Jan 2025 22:33:40 +0100
Subject: [PATCH] fix: NSIS install using $TEMP are flags matching rules

eg:
https://www.virustotal.com/gui/file/2ed7c8bbdb728a53354849f2801a05dd9719ffe7984002d0cc1dbc5c17696b66
Matches rule Suspicious Volume Shadow Copy Vsstrace.dll Load by frack113 at Sigma Integrated Rule Set (GitHub)

NSIS $TEMP is used like this:

'$TEMP\vc_redist.x64.exe /install /quiet /norestart'

Ideally, the exe to install should be signed by Microsoft from theses directories.
So the rule should check if it is signed from Microsoft.
---
 rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml
index 3afd9ff24ce..09ba23aa9c6 100644
--- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml
+++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml
@@ -11,7 +11,7 @@ references:
     - https://github.com/ORCx41/DeleteShadowCopies
 author: frack113
 date: 2023-02-17
-modified: 2023-03-28
+modified: 2025-01-01
 tags:
     - attack.defense-evasion
     - attack.impact
@@ -31,6 +31,7 @@ detection:
               - 'C:\Windows\SysWOW64\'
               - 'C:\Windows\Temp\{' # Installers
               - 'C:\Windows\WinSxS\'
+              - 'C:\ProgramData\Package Cache\{'  # NSIS "$TEMP" var Installers
     filter_program_files:
         # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
         Image|startswith: