rule: suspicious vss ps load

rules/windows/image_load/win_suspicious_vss_ps_load.yml

@@ -0,0 +1,36 @@
+title: Image Load of vss_ps.dll by uncommon Executable (observed in Shadow Volume Deletion)
+id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
+status: experimental
+description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint
+author: Markus Neis, @markus_neis
+date: 2021/07/07
+references:
+    - 1bd85e1caa1415ebdc8852c91e37bbb7
+    - https://twitter.com/am0nsec/status/1412232114980982787    
+tags:
+    - attack.defense_evasion
+    - attack.impact 
+    - attack.t1490
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        OriginalFileName:
+            - 'VSS_PS.DLL'
+    filter:
+        Image|endswith:
+            - '\svchost.exe'
+            - '\msiexec.exe'
+            - '\vssvc.exe'
+            - '\srtasks.exe'
+            - '\tiworker.exe'
+            - '\dllhost.exe'
+            - '\searchindexer.exe'
+            - 'dismhost.exe'
+            - 'taskhostw.exe'
+        Image|contains: 'c:\windows\'
+    condition: selection and not filter
+falsepositives:
+    - unknown
+level: medium