?
Solved

Windows Server 2008 R2 and 2012 R2 event log for vssadmin command execution ?

Posted on 2016-09-07
4
Medium Priority
?
48 Views
Last Modified: 2016-10-18
Hi All,

On Windows systems, in both targeted and mass distribution attacks, we often see the vssadmin tool being used to remove the volume shadow copies from the system.

For instance, CryptoLocker and Locky will execute a command to delete all of the volume shadow copies from the system.

I'm pretty sure that there are event log entries that are created when this happens, so triggerable events can be detected by a host-based product.

So I wonder what's the Event ID to be monitored in the server ?
Is it possible to send the email once this event is triggered in the server ?

Thanks in advance.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 41787438
The strategy to monitor behavior is not recommendable. Take proactive measures instead, configure applocker or software restriction policies.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41787445
McKnife,

Does this means configuring AppLocker like in: https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

To prevent any script to run in the %APPDATA% folder and the %TEMP% folder on your workstation / File Server ?
0
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 41787452
That blogger has no deeper understanding of the matter. MS themselves did recommend not to use the default rules, for example, in fact, they strongly vote against it.

Applocker should be used to whitelist known software, the rest, including all ransomware will be prevented from running automatically.
1

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
In this modest contribution, I want to share with the IT community (especially system administrators, IT Support Engineers and IT Help Desks) about Windows crashes/hangs and how to deal with these particular problems.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question