The hypothesis is that an adversary is leveraging the Volume Shadow Copy service to execute arbitrary code through the Vsstrace.dll, which is typically used for volume shadow copy tracing. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or execution tactics used by advanced threats that exploit legitimate system components for malicious purposes.
Detection Rule
title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
id: 48bfd177-7cf2-412b-ad77-baf923489e82
related:
- id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
type: similar
- id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
type: similar
status: test
description: Detects the image load of VSS DLL by uncommon executables
references:
- https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2023-02-17
modified: 2025-12-03
tags:
- attack.defense-evasion
- attack.impact
- attack.t1490
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vsstrace.dll'
filter_main_windows:
- Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\Temp\{' # Installers
- 'C:\Windows\WinSxS\'
- 'C:\ProgramData\Package Cache\{' # Microsoft Visual Redistributable installer VC_redist/vcredist EXE
filter_main_program_files:
# When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_optional_recovery:
Image|startswith: 'C:\$WinREAgent\Scratch\'
filter_main_null_image:
Image: null # Observed through Aurora
filter_optional_avira:
Image|contains|all:
- '\temp\is-'
- '\avira_system_speedup.tmp'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\vsstrace.dll" and (not((((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\{")) or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or isnull(InitiatingProcessFolderPath)))) and (not((InitiatingProcessFolderPath startswith "C:\\$WinREAgent\\Scratch\\" or (InitiatingProcessFolderPath contains "\\temp\\is-" and InitiatingProcessFolderPath contains "\\avira_system_speedup.tmp"))))Scenario: System Restore Service (vssvc.exe) loading Vsstrace.dll
Filter/Exclusion: Check the parent process is svchost.exe with the service name vssvc or process name vssvc.exe
Scenario: Volume Shadow Copy service configuration via Group Policy or registry
Filter/Exclusion: Filter events where the executable is regedit.exe or gpedit.msc and the registry key is related to Volume Shadow Copy settings
Scenario: Scheduled Task for backup or system image creation using VSS
Filter/Exclusion: Check for tasks scheduled by Task Scheduler with a command line referencing vssadmin or wbadmin
Scenario: Microsoft System Center Configuration Manager (SCCM) or System Center Data Protection Manager (DPM) using VSS
Filter/Exclusion: Filter events where the executable is smsutil.exe, dpmsvc.exe, or other known SCCM/DPM tools
Scenario: Windows Update or Windows Defender using Volume Shadow Copy for snapshot creation
Filter/Exclusion: Check for parent processes like wuauclt.exe or MsMpEng.exe and exclude known system maintenance tasks