Suspicious Volume Shadow Copy VSS_PS.dll Load
Detects the image load of vss_ps.dll by uncommon executables
Sigma rule (View on GitHub)
1title: Suspicious Volume Shadow Copy VSS_PS.dll Load
2id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
3related:
4 - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll
5 type: similar
6 - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
7 type: similar
8status: experimental
9description: Detects the image load of vss_ps.dll by uncommon executables
10references:
11 - https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add
12 - https://twitter.com/am0nsec/status/1412232114980982787
13author: Markus Neis, @markus_neis
14date: 2021/07/07
15modified: 2023/05/23
16tags:
17 - attack.defense_evasion
18 - attack.impact
19 - attack.t1490
20logsource:
21 category: image_load
22 product: windows
23detection:
24 selection:
25 ImageLoaded|endswith: '\vss_ps.dll'
26 filter_legit:
27 Image|startswith: 'C:\Windows\'
28 Image|endswith:
29 - '\clussvc.exe'
30 - '\dismhost.exe'
31 - '\dllhost.exe'
32 - '\inetsrv\appcmd.exe'
33 - '\inetsrv\iissetup.exe'
34 - '\msiexec.exe'
35 - '\rundll32.exe'
36 - '\searchindexer.exe'
37 - '\srtasks.exe'
38 - '\svchost.exe'
39 - '\taskhostw.exe'
40 - '\thor.exe'
41 - '\thor64.exe'
42 - '\tiworker.exe'
43 - '\vssvc.exe'
44 - '\WmiPrvSE.exe'
45 - '\System32\SystemPropertiesAdvanced.exe'
46 filter_programfiles:
47 # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
48 Image|startswith:
49 - 'C:\Program Files\'
50 - 'C:\Program Files (x86)\'
51 filter_update:
52 CommandLine|startswith: 'C:\$WinREAgent\Scratch\'
53 CommandLine|contains: '\dismhost.exe {'
54 filter_image_null:
55 Image: null
56 condition: selection and not 1 of filter_*
57falsepositives:
58 - Unknown
59level: high
References
Related rules
- SystemStateBackup Deleted Using Wbadmin.EXE
- Cisco File Deletion
- Cisco Modify Configuration
- Delete Volume Shadow Copies via WMI with PowerShell - PS Script
- Boot Configuration Database (BCD) Manipulation - Registry Modification