Suspicious Volume Shadow Copy VSS_PS.dll Load

Severity: high
Author: Markus Neis, @markus_neis
Source: upstream

Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.

MITRE ATT&CK coverage

Tactic	Techniques
Impact	`T1490` Inhibit System Recovery

Event coverage

Provider	Event ID	Title
Sysmon	7	Image loaded

Stages and Predicates

Stage 1: `selection`

ImageLoaded|endswith: '\vss_ps.dll'

Stage 2: `not 1 of filter_main_*`

or:
or:
Image|endswith: '\System32\SystemPropertiesAdvanced.exe'
Image|endswith: '\WmiPrvSE.exe'
Image|endswith: '\clussvc.exe'
Image|endswith: '\dismhost.exe'
Image|endswith: '\dllhost.exe'
Image|endswith: '\inetsrv\appcmd.exe'
Image|endswith: '\inetsrv\iissetup.exe'
Image|endswith: '\msiexec.exe'
Image|endswith: '\rundll32.exe'
Image|endswith: '\searchindexer.exe'
Image|endswith: '\srtasks.exe'
Image|endswith: '\svchost.exe'
Image|endswith: '\taskhostw.exe'
Image|endswith: '\thor.exe'
Image|endswith: '\thor64.exe'
Image|endswith: '\tiworker.exe'
Image|endswith: '\vssadmin.exe'
Image|endswith: '\vssvc.exe'
Image|endswith: '\wsmprovhost.exe'
Image|startswith: 'C:\Windows\'
CommandLine|contains: '\dismhost.exe {'
CommandLine|startswith: 'C:\$WinREAgent\Scratch\'
Image: null

Stage 3: `not 1 of filter_optional_programfiles`

or:
Image|startswith: 'C:\Program Files (x86)\'
Image|startswith: 'C:\Program Files\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`\dismhost.exe {` corpus 2 (sigma 2)
`CommandLine`	starts_with	`C:\$WinREAgent\Scratch\`
`Image`	ends_with	`\System32\SystemPropertiesAdvanced.exe` `\WmiPrvSE.exe` corpus 3 (sigma 3) `\clussvc.exe` `\dismhost.exe` `\dllhost.exe` corpus 8 (sigma 8) `\inetsrv\appcmd.exe` `\inetsrv\iissetup.exe` `\msiexec.exe` corpus 21 (sigma 21) `\rundll32.exe` corpus 76 (sigma 76) `\searchindexer.exe` `\srtasks.exe` `\svchost.exe` corpus 20 (sigma 20) `\taskhostw.exe` corpus 2 (sigma 2) `\thor.exe` corpus 7 (sigma 7) `\thor64.exe` corpus 6 (sigma 6) `\tiworker.exe` `\vssadmin.exe` corpus 5 (sigma 5) `\vssvc.exe` corpus 2 (sigma 2) `\wsmprovhost.exe` corpus 3 (sigma 3)
`Image`	starts_with	`C:\Program Files (x86)\` corpus 14 (sigma 14) `C:\Program Files\` corpus 15 (sigma 15) `C:\Windows\` corpus 4 (sigma 4)
`ImageLoaded`	ends_with	`\vss_ps.dll`