Adversaries may leverage the Vssapi.dll load to persist or exfiltrate data by exploiting volume shadow copy mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or data exfiltration tactics associated with T1490.
Detection Rule
title: Suspicious Volume Shadow Copy Vssapi.dll Load
id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8
related:
- id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
type: similar
- id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll
type: similar
status: test
description: Detects the image load of VSS DLL by uncommon executables
references:
- https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2022-10-31
modified: 2025-10-17
tags:
- attack.defense-evasion
- attack.impact
- attack.t1490
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vssapi.dll'
filter_main_windows:
- Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\Temp\{' # Installers
- 'C:\Windows\WinSxS\'
filter_main_program_files:
# When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_null_image:
Image: null
filter_optional_programdata_packagecache:
# The following filter is required because of many FPs cause by:
# C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe
# C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe
# C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe
# C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe
# etc.
Image|startswith: 'C:\ProgramData\Package Cache\'
filter_optional_avira:
Image|contains|all:
- '\temp\is-'
- '\avira_system_speedup.tmp'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
DeviceImageLoadEvents
| where FolderPath endswith "\\vssapi.dll" and (not((((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or isnull(InitiatingProcessFolderPath)))) and (not((InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\" or (InitiatingProcessFolderPath contains "\\temp\\is-" and InitiatingProcessFolderPath contains "\\avira_system_speedup.tmp"))))Scenario: A system administrator is using VSSAdmin to perform a scheduled backup via Volume Shadow Copy Service.
Filter/Exclusion: Check if the process is svchost.exe or vssadmin.exe and if the parent process is a known system service (e.g., services.exe).
Scenario: A Windows Update task is running and loads Vssapi.dll as part of the update process.
Filter/Exclusion: Exclude processes with svchost.exe that are associated with wuauserv or wuauserv services.
Scenario: A scheduled backup job using Veeam Backup & Replication or Acronis True Image loads Vssapi.dll during a snapshot creation.
Filter/Exclusion: Exclude processes named VeeamBackup.exe or AcronisSnap.exe and verify the process is running under a known backup service account.
Scenario: A Windows PowerShell script or Task Scheduler job is configured to run a legitimate tool like Robocopy or DISM that indirectly triggers a Volume Shadow Copy operation.
Filter/Exclusion: Exclude processes with parent process taskhost.exe or powershell.exe and verify the command line includes known backup or imaging tools.
Scenario: A Windows Server Backup service is running and loads Vssapi.dll as part of its routine backup operations.
Filter/Exclusion: Exclude processes associated with wbengine.exe or wbadmin.exe and ensure the process is running under the NT SERVICE\wbengine account.