?
Solved

Windows Server 2008 R2 and 2012 R2 event log for vssadmin command execution ?

Posted on 2016-09-07
4
Medium Priority
?
87 Views
Last Modified: 2016-10-18
Hi All,

On Windows systems, in both targeted and mass distribution attacks, we often see the vssadmin tool being used to remove the volume shadow copies from the system.

For instance, CryptoLocker and Locky will execute a command to delete all of the volume shadow copies from the system.

I'm pretty sure that there are event log entries that are created when this happens, so triggerable events can be detected by a host-based product.

So I wonder what's the Event ID to be monitored in the server ?
Is it possible to send the email once this event is triggered in the server ?

Thanks in advance.
0
Comment
  • 2
3 Comments
 
LVL 57

Expert Comment

by:McKnife
ID: 41787438
The strategy to monitor behavior is not recommendable. Take proactive measures instead, configure applocker or software restriction policies.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41787445
McKnife,

Does this means configuring AppLocker like in: https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

To prevent any script to run in the %APPDATA% folder and the %TEMP% folder on your workstation / File Server ?
0
 
LVL 57

Accepted Solution

by:
McKnife earned 2000 total points
ID: 41787452
That blogger has no deeper understanding of the matter. MS themselves did recommend not to use the default rules, for example, in fact, they strongly vote against it.

Applocker should be used to whitelist known software, the rest, including all ransomware will be prevented from running automatically.
1

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
MS Outlook undoubtedly is the most widely used email client.Its user-friendliness, cost effectiveness, and availability with Microsoft Office Suite make it the most popular email application.  Its compatibility with Microsoft applications like Exch…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question