Detectionhightest

Suspicious Volume Shadow Copy Vssapi.dll Load

Detects the image load of VSS DLL by uncommon executables

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Mon Oct 31Updated Fri Oct 1737774c23-25a1-4adb-bb6d-8bb9fd59c0f8windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        ImageLoaded|endswith: '\vssapi.dll'
    filter_main_windows:
        - Image:
              - 'C:\Windows\explorer.exe'
              - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
        - Image|startswith:
              - 'C:\Windows\System32\'
              - 'C:\Windows\SysWOW64\'
              - 'C:\Windows\Temp\{' # Installers
              - 'C:\Windows\WinSxS\'
    filter_main_program_files:
        # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_main_null_image:
        Image: null
    filter_optional_programdata_packagecache:
        # The following filter is required because of many FPs cause by:
        #   C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe
        #   C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe
        #   C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe
        #   C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe
        #   etc.
        Image|startswith: 'C:\ProgramData\Package Cache\'
    filter_optional_avira:
        Image|contains|all:
            - '\temp\is-'
            - '\avira_system_speedup.tmp'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0040 · Impact

Techniques

T1490 · Inhibit System Recovery

Related Rules

SimilarDetectionhigh

Suspicious Volume Shadow Copy VSS_PS.dll Load

Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load

Detects the image load of VSS DLL by uncommon executables

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

37774c23-25a1-4adb-bb6d-8bb9fd59c0f8

Status

test

Level

high

Type

Detection

Created

Mon Oct 31

Modified

Fri Oct 17

Author

François Hubaut

Path

rules/windows/image_load/image_load_dll_vssapi_susp_load.yml

Raw Tags

attack.defense-evasionattack.impactattack.t1490

View on GitHub