Suspicious Volume Shadow Copy Vsstrace.dll Load
Detects the image load of VSS DLL by uncommon executables
Sigma rule (View on GitHub)
1title: Suspicious Volume Shadow Copy Vsstrace.dll Load
2id: 48bfd177-7cf2-412b-ad77-baf923489e82
3related:
4 - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
5 type: similar
6 - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
7 type: similar
8status: test
9description: Detects the image load of VSS DLL by uncommon executables
10references:
11 - https://github.com/ORCx41/DeleteShadowCopies
12author: frack113
13date: 2023/02/17
14modified: 2023/03/28
15tags:
16 - attack.defense_evasion
17 - attack.impact
18 - attack.t1490
19logsource:
20 category: image_load
21 product: windows
22detection:
23 selection:
24 ImageLoaded|endswith: '\vsstrace.dll'
25 filter_windows:
26 - Image:
27 - 'C:\Windows\explorer.exe'
28 - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
29 - Image|startswith:
30 - 'C:\Windows\System32\'
31 - 'C:\Windows\SysWOW64\'
32 - 'C:\Windows\Temp\{' # Installers
33 - 'C:\Windows\WinSxS\'
34 filter_program_files:
35 # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
36 Image|startswith:
37 - 'C:\Program Files\'
38 - 'C:\Program Files (x86)\'
39 condition: selection and not 1 of filter_*
40falsepositives:
41 - Unknown
42level: high
References
-
Deleting Shadow Copies In Pure C++ . Contribute to NUL0x4C/DeleteShadowCopies development by creating an account on GitHub.
Read More
Related rules
- WannaCry Ransomware Activity
- Deletion of Volume Shadow Copies via WMI with PowerShell
- Sensitive File Access Via Volume Shadow Copy Backup
- Backup Files Deleted
- Copy From VolumeShadowCopy Via Cmd.EXE