Suspicious Volume Shadow Copy VSS_PS.dll Load

Detects the image load of vss_ps.dll by uncommon executables

Sigma rule (View on GitHub)

 1title: Suspicious Volume Shadow Copy VSS_PS.dll Load
 2id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
 3related:
 4    - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll
 5      type: similar
 6    - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
 7      type: similar
 8status: experimental
 9description: Detects the image load of vss_ps.dll by uncommon executables
10references:
11    - https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add
12    - https://twitter.com/am0nsec/status/1412232114980982787
13author: Markus Neis, @markus_neis
14date: 2021/07/07
15modified: 2023/05/23
16tags:
17    - attack.defense_evasion
18    - attack.impact
19    - attack.t1490
20logsource:
21    category: image_load
22    product: windows
23detection:
24    selection:
25        ImageLoaded|endswith: '\vss_ps.dll'
26    filter_legit:
27        Image|startswith: 'C:\Windows\'
28        Image|endswith:
29            - '\clussvc.exe'
30            - '\dismhost.exe'
31            - '\dllhost.exe'
32            - '\inetsrv\appcmd.exe'
33            - '\inetsrv\iissetup.exe'
34            - '\msiexec.exe'
35            - '\rundll32.exe'
36            - '\searchindexer.exe'
37            - '\srtasks.exe'
38            - '\svchost.exe'
39            - '\taskhostw.exe'
40            - '\thor.exe'
41            - '\thor64.exe'
42            - '\tiworker.exe'
43            - '\vssvc.exe'
44            - '\WmiPrvSE.exe'
45            - '\System32\SystemPropertiesAdvanced.exe'
46    filter_programfiles:
47        # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
48        Image|startswith:
49            - 'C:\Program Files\'
50            - 'C:\Program Files (x86)\'
51    filter_update:
52        CommandLine|startswith: 'C:\$WinREAgent\Scratch\'
53        CommandLine|contains: '\dismhost.exe {'
54    filter_image_null:
55        Image: null
56    condition: selection and not 1 of filter_*
57falsepositives:
58    - Unknown
59level: high

References

Related rules

to-top