Suspicious Volume Shadow Copy VSS_PS.dll Load

Last updated on: September 15, 2025

In this page

About the rule
Rule Requirement
Detection

About the rule

Rule Type

Standard

Rule Description

Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.

Severity

Trouble

Rule Requirement

Criteria


                            Action1: actionname = "sa_imageloaded" AND OBJECTNAME endswith "\vss_ps.dll" AND ((PROCESSNAME notstartswith "C:\Windows" OR PROCESSNAME notendswith "\clussvc.exe,\dismhost.exe,\dllhost.exe,\inetsrv\appcmd.exe,\inetsrv\iissetup.exe,\msiexec.exe,\rundll32.exe,\searchindexer.exe,\srtasks.exe,\svchost.exe,\System32\SystemPropertiesAdvanced.exe,\taskhostw.exe,\thor.exe,\thor64.exe,\tiworker.exe,\vssvc.exe,\vssadmin.exe,\WmiPrvSE.exe,\wsmprovhost.exe") AND (COMMANDLINE notstartswith "C:\$WinREAgent\Scratch" OR COMMANDLINE notcontains "\dismhost.exe {") AND isExist(PROCESSNAME)) AND PROCESSNAME notstartswith "C:\Program Files\,C:\Program Files (x86)" select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PRODUCT_NAME,Action1.OBJECTNAME

Detection

Execution Mode

realtime

Log Sources

Windows

Author

Markus Neis, @markus_neis

Awards & recognition

Editor's choice

7th time in the MQ in 2024

Major player in 2024

Integrated cloud security Innovator

Technical excellence in SIEM

Market leader most innovative

Resource Library

Expert Talks

SIEM basics

Cybersecurity glossary

Cloud Security

Academy

Documentation

Integrations