Suspicious Volume Shadow Copy Vssapi.dll Load

Severity: high
Author: frack113
Source: upstream

Detects the image load of VSS DLL by uncommon executables

MITRE ATT&CK coverage

Tactic	Techniques
Impact	`T1490` Inhibit System Recovery

Event coverage

Provider	Event ID	Title
Sysmon	7	Image loaded

Stages and Predicates

Stage 1: `selection`

ImageLoaded|endswith: '\vssapi.dll'

Stage 2: `not 1 of filter_main_*`

or:
Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
Image: 'C:\Windows\explorer.exe'
Image: null
Image|startswith: 'C:\Program Files (x86)\'
Image|startswith: 'C:\Program Files\'
Image|startswith: 'C:\Windows\SysWOW64\'
Image|startswith: 'C:\Windows\System32\'
Image|startswith: 'C:\Windows\Temp\{'
Image|startswith: 'C:\Windows\WinSxS\'

Stage 3: `not 1 of filter_optional_*`

or:
Image|contains: '\avira_system_speedup.tmp'
Image|contains: '\temp\is-'
Image|startswith: 'C:\ProgramData\Package Cache\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	eq	`C:\Windows\ImmersiveControlPanel\SystemSettings.exe` corpus 4 (sigma 4) `C:\Windows\explorer.exe` corpus 9 (sigma 9)
`Image`	match	`\avira_system_speedup.tmp` corpus 2 (sigma 2) `\temp\is-` corpus 2 (sigma 2)
`Image`	starts_with	`C:\Program Files (x86)\` corpus 14 (sigma 14) `C:\Program Files\` corpus 15 (sigma 15) `C:\ProgramData\Package Cache\` `C:\Windows\SysWOW64\` corpus 16 (sigma 16) `C:\Windows\System32\` corpus 16 (sigma 16) `C:\Windows\Temp\{` corpus 2 (sigma 2) `C:\Windows\WinSxS\` corpus 13 (sigma 13)
`ImageLoaded`	ends_with	`\vssapi.dll` corpus 2 (sigma 2)