fix: being loaded by wsmprovhost.exe

the loading happens automatically on systems with active WinRM connections without special interaction towards VSS

rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml

@@ -12,7 +12,7 @@ references:
     - https://twitter.com/am0nsec/status/1412232114980982787
 author: Markus Neis, @markus_neis
 date: 2021/07/07
-modified: 2023/05/23
+modified: 2024/03/28
 tags:
     - attack.defense_evasion
     - attack.impact
@@ -36,13 +36,14 @@ detection:
             - '\searchindexer.exe'
             - '\srtasks.exe'
             - '\svchost.exe'
+            - '\System32\SystemPropertiesAdvanced.exe'
             - '\taskhostw.exe'
             - '\thor.exe'
             - '\thor64.exe'
             - '\tiworker.exe'
             - '\vssvc.exe'
             - '\WmiPrvSE.exe'
-            - '\System32\SystemPropertiesAdvanced.exe'
+            - '\wsmprovhost.exe'
     filter_programfiles:
         # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
         Image|startswith: