Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load

 1title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
 2id: 48bfd177-7cf2-412b-ad77-baf923489e82
 3related:
 4    - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
 5      type: similar
 6    - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
 7      type: similar
 8status: test
 9description: Detects the image load of VSS DLL by uncommon executables
10references:
11    - https://github.com/ORCx41/DeleteShadowCopies
12author: frack113
13date: 2023-02-17
14modified: 2025-10-17
15tags:
16    - attack.defense-evasion
17    - attack.impact
18    - attack.t1490
19logsource:
20    category: image_load
21    product: windows
22detection:
23    selection:
24        ImageLoaded|endswith: '\vsstrace.dll'
25    filter_main_windows:
26        - Image:
27              - 'C:\Windows\explorer.exe'
28              - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
29        - Image|startswith:
30              - 'C:\Windows\System32\'
31              - 'C:\Windows\SysWOW64\'
32              - 'C:\Windows\Temp\{' # Installers
33              - 'C:\Windows\WinSxS\'
34              - 'C:\ProgramData\Package Cache\{'  # Microsoft Visual Redistributable installer  VC_redist/vcredist EXE
35    filter_main_null_image:
36        Image: null # Observed through Aurora
37    filter_main_program_files:
38        # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
39        Image|startswith:
40            - 'C:\Program Files\'
41            - 'C:\Program Files (x86)\'
42    filter_optional_avira:
43        Image|contains|all:
44            - '\temp\is-'
45            - '\avira_system_speedup.tmp'
46    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
47falsepositives:
48    - Unknown
49level: medium