From f27ddc8a0f2f02d55a4bb8591a734ab495eddfbc Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 31 Oct 2022 19:33:13 +0100
Subject: [PATCH] Update
 rules/windows/image_load/image_load_susp_vss_dll_load.yml

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
---
 rules/windows/image_load/image_load_susp_vss_dll_load.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/image_load/image_load_susp_vss_dll_load.yml b/rules/windows/image_load/image_load_susp_vss_dll_load.yml
index 28abba3f1..c91a4fc90 100644
--- a/rules/windows/image_load/image_load_susp_vss_dll_load.yml
+++ b/rules/windows/image_load/image_load_susp_vss_dll_load.yml
@@ -19,7 +19,10 @@ detection:
             - '\vsstrace.dll'
             - '\vssapi.dll'
     filter_legit:
-        Image|contains: 'c:\windows\'
+        Image|startswith:
+            - 'C:\Windows\'
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown