Merge PR #5152 from @Ti-R - Fix `Potentially Suspicious Volume Shadow…

… Copy Vsstrace.dll Load`

fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add exclusion filter `C:\ProgramData\Package Cache\{` to account for cases like the execution of `vcredist`

---------

Co-authored-by: frack113 <[email protected]>
Co-authored-by: Nasreddine Bencherchali <[email protected]>

rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml

@@ -1,4 +1,4 @@
-title: Suspicious Volume Shadow Copy Vsstrace.dll Load
+title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
 id: 48bfd177-7cf2-412b-ad77-baf923489e82
 related:
     - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
@@ -11,7 +11,7 @@ references:
     - https://github.com/ORCx41/DeleteShadowCopies
 author: frack113
 date: 2023-02-17
-modified: 2023-03-28
+modified: 2025-01-19
 tags:
     - attack.defense-evasion
     - attack.impact
@@ -22,7 +22,7 @@ logsource:
 detection:
     selection:
         ImageLoaded|endswith: '\vsstrace.dll'
-    filter_windows:
+    filter_main_windows:
         - Image:
               - 'C:\Windows\explorer.exe'
               - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
@@ -31,12 +31,13 @@ detection:
               - 'C:\Windows\SysWOW64\'
               - 'C:\Windows\Temp\{' # Installers
               - 'C:\Windows\WinSxS\'
-    filter_program_files:
+              - 'C:\ProgramData\Package Cache\{'  # Microsoft Visual Redistributable installer  VC_redist/vcredist EXE
+    filter_optional_program_files:
         # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
         Image|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
-level: high
+level: medium