diff --git a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml
index 81dce59c451..7de30e3d0c5 100644
--- a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml
+++ b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml
@@ -12,7 +12,7 @@ references:
     - https://twitter.com/am0nsec/status/1412232114980982787
 author: Markus Neis, @markus_neis
 date: 2021/07/07
-modified: 2023/05/23
+modified: 2024/03/28
 tags:
     - attack.defense_evasion
     - attack.impact
@@ -36,13 +36,14 @@ detection:
             - '\searchindexer.exe'
             - '\srtasks.exe'
             - '\svchost.exe'
+            - '\System32\SystemPropertiesAdvanced.exe'
             - '\taskhostw.exe'
             - '\thor.exe'
             - '\thor64.exe'
             - '\tiworker.exe'
             - '\vssvc.exe'
             - '\WmiPrvSE.exe'
-            - '\System32\SystemPropertiesAdvanced.exe'
+            - '\wsmprovhost.exe'
     filter_programfiles:
         # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
         Image|startswith: