This detection rule targets the loading of the Volume Shadow Copy Service (VSS) API DLL (vssapi.dll) by uncommon executables, which could indicate malicious activity such as attempts to manipulate system backups or conceal traces of executed payloads. Malicious actors may leverage this DLL to access system states and potentially erase or modify system snapshots. The rule accomplishes its task by monitoring image loads specifically looking for instances where vssapi.dll is loaded by processes that do not typically use these DLLs, thereby identifying unusual behavior indicative of evasion tactics. Instances of this detection are analyzed under specific conditions to reduce false positives, filtering out well-known executables like explorer.exe and SystemSettings.exe to ensure that alerts are only triggered by suspicious and unintended loads, enhancing the monitoring accuracy within Windows environments. The integration of this rule into a security operations center's monitoring suite can significantly bolster defenses against malware utilizing shadow copy manipulation techniques.