On Windows systems, in both targeted and mass distribution attacks, we often see the vssadmin tool being used to remove the volume shadow copies from the system.
For instance, CryptoLocker and Locky will execute a command to delete all of the volume shadow copies from the system.
I'm pretty sure that there are event log entries that are created when this happens, so triggerable events can be detected by a host-based product.
So I wonder what's the Event ID to be monitored in the server ?
Is it possible to send the email once this event is triggered in the server ?
Thanks in advance.