Suspicious Volume Shadow Copy Vssapi.dll Load

calendar Apr 28, 2026 · attack.impact attack.t1490  ·
Share on: linkedin copy

Detects the image load of VSS DLL by uncommon executables

Sigma rule (View on GitHub)

 1title: Suspicious Volume Shadow Copy Vssapi.dll Load
 2id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8
 3related:
 4    - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
 5      type: similar
 6    - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll
 7      type: similar
 8status: test
 9description: Detects the image load of VSS DLL by uncommon executables
10references:
11    - https://github.com/ORCx41/DeleteShadowCopies
12author: frack113
13date: 2022-10-31
14modified: 2025-10-17
15tags:
16    - attack.impact
17    - attack.t1490
18logsource:
19    category: image_load
20    product: windows
21detection:
22    selection:
23        ImageLoaded|endswith: '\vssapi.dll'
24    filter_main_windows:
25        - Image:
26              - 'C:\Windows\explorer.exe'
27              - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
28        - Image|startswith:
29              - 'C:\Windows\System32\'
30              - 'C:\Windows\SysWOW64\'
31              - 'C:\Windows\Temp\{' # Installers
32              - 'C:\Windows\WinSxS\'
33    filter_main_program_files:
34        # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
35        Image|startswith:
36            - 'C:\Program Files\'
37            - 'C:\Program Files (x86)\'
38    filter_main_null_image:
39        Image: null
40    filter_optional_programdata_packagecache:
41        # The following filter is required because of many FPs cause by:
42        #   C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe
43        #   C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe
44        #   C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe
45        #   C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe
46        #   etc.
47        Image|startswith: 'C:\ProgramData\Package Cache\'
48    filter_optional_avira:
49        Image|contains|all:
50            - '\temp\is-'
51            - '\avira_system_speedup.tmp'
52    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
53falsepositives:
54    - Unknown
55level: high

References

Related rules

to-top