2021-07-08 06:33:46 +00:00
|
|
|
title: Image Load of VSS_PS.dll by Uncommon Executable
|
2021-07-07 16:21:57 +00:00
|
|
|
id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
|
|
|
|
|
status: experimental
|
|
|
|
|
description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint
|
|
|
|
|
author: Markus Neis, @markus_neis
|
|
|
|
|
date: 2021/07/07
|
|
|
|
|
references:
|
|
|
|
|
- 1bd85e1caa1415ebdc8852c91e37bbb7
|
|
|
|
|
- https://twitter.com/am0nsec/status/1412232114980982787
|
|
|
|
|
tags:
|
|
|
|
|
- attack.defense_evasion
|
|
|
|
|
- attack.impact
|
|
|
|
|
- attack.t1490
|
|
|
|
|
logsource:
|
|
|
|
|
category: image_load
|
|
|
|
|
product: windows
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
2021-07-08 07:05:57 +00:00
|
|
|
ImageLoaded|endswith:
|
|
|
|
|
- '\vss_ps.dll'
|
2021-07-07 16:21:57 +00:00
|
|
|
filter:
|
|
|
|
|
Image|endswith:
|
|
|
|
|
- '\svchost.exe'
|
|
|
|
|
- '\msiexec.exe'
|
|
|
|
|
- '\vssvc.exe'
|
|
|
|
|
- '\srtasks.exe'
|
|
|
|
|
- '\tiworker.exe'
|
|
|
|
|
- '\dllhost.exe'
|
|
|
|
|
- '\searchindexer.exe'
|
|
|
|
|
- 'dismhost.exe'
|
|
|
|
|
- 'taskhostw.exe'
|
2021-07-08 07:05:57 +00:00
|
|
|
- '\clussvc.exe'
|
2021-07-07 16:21:57 +00:00
|
|
|
Image|contains: 'c:\windows\'
|
|
|
|
|
condition: selection and not filter
|
|
|
|
|
falsepositives:
|
|
|
|
|
- unknown
|
2021-07-08 07:05:57 +00:00
|
|
|
level: high
|
