fix: NSIS install using $TEMP are flags matching rules #5152
Conversation
github-actions
bot
added
Rules
Windows
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Welcome @Ti-R 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
eg: https://www.virustotal.com/gui/file/2ed7c8bbdb728a53354849f2801a05dd9719ffe7984002d0cc1dbc5c17696b66 Matches rule Suspicious Volume Shadow Copy Vsstrace.dll Load by frack113 at Sigma Integrated Rule Set (GitHub) NSIS $TEMP is used like this: '$TEMP\vc_redist.x64.exe /install /quiet /norestart' Ideally, the exe to install should be signed by Microsoft from theses directories. So the rule should check if it is signed from Microsoft.
Ti-R
force-pushed
the
ti-r/fix_Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load_on_nsis_install
branch
from
b4b49ac to
4b0a5fe
Compare
|
Hi, To be more accurate, we can add a filter like this one: filter_vc_redist:
Image|startwith: 'C:\ProgramData\Package Cache\{'
Image|endswith: '}\VC_redist.x64.exe' # need the 86 name too :) |
|
Hi, |
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Summary of the Pull Request
NSIS install using $TEMP are flags matching rules
Changelog
Example Log Event
eg:
https://www.virustotal.com/gui/file/2ed7c8bbdb728a53354849f2801a05dd9719ffe7984002d0cc1dbc5c17696b66 Matches rule Suspicious Volume Shadow Copy Vsstrace.dll Load by frack113 at Sigma Integrated Rule Set (GitHub)
Fixed Issues
NSIS $TEMP is used like this:
'$TEMP\vc_redist.x64.exe /install /quiet /norestart'
Ideally, the exe to install should be signed by Microsoft from theses directories. So the rule should check if it is signed from Microsoft.
SigmaHQ Rule Creation Conventions