Solved

Windows Server 2008 R2 and 2012 R2 event log for vssadmin command execution ?

Posted on 2016-09-07
4
13 Views
Last Modified: 2016-10-18
Hi All,

On Windows systems, in both targeted and mass distribution attacks, we often see the vssadmin tool being used to remove the volume shadow copies from the system.

For instance, CryptoLocker and Locky will execute a command to delete all of the volume shadow copies from the system.

I'm pretty sure that there are event log entries that are created when this happens, so triggerable events can be detected by a host-based product.

So I wonder what's the Event ID to be monitored in the server ?
Is it possible to send the email once this event is triggered in the server ?

Thanks in advance.
0
Comment
  • 2
4 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 41787438
The strategy to monitor behavior is not recommendable. Take proactive measures instead, configure applocker or software restriction policies.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41787445
McKnife,

Does this means configuring AppLocker like in: https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

To prevent any script to run in the %APPDATA% folder and the %TEMP% folder on your workstation / File Server ?
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 41787452
That blogger has no deeper understanding of the matter. MS themselves did recommend not to use the default rules, for example, in fact, they strongly vote against it.

Applocker should be used to whitelist known software, the rest, including all ransomware will be prevented from running automatically.
1

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now