Solved

Windows Server 2008 R2 and 2012 R2 event log for vssadmin command execution ?

Posted on 2016-09-07
4
28 Views
Last Modified: 2016-10-18
Hi All,

On Windows systems, in both targeted and mass distribution attacks, we often see the vssadmin tool being used to remove the volume shadow copies from the system.

For instance, CryptoLocker and Locky will execute a command to delete all of the volume shadow copies from the system.

I'm pretty sure that there are event log entries that are created when this happens, so triggerable events can be detected by a host-based product.

So I wonder what's the Event ID to be monitored in the server ?
Is it possible to send the email once this event is triggered in the server ?

Thanks in advance.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 41787438
The strategy to monitor behavior is not recommendable. Take proactive measures instead, configure applocker or software restriction policies.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41787445
McKnife,

Does this means configuring AppLocker like in: https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

To prevent any script to run in the %APPDATA% folder and the %TEMP% folder on your workstation / File Server ?
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 41787452
That blogger has no deeper understanding of the matter. MS themselves did recommend not to use the default rules, for example, in fact, they strongly vote against it.

Applocker should be used to whitelist known software, the rest, including all ransomware will be prevented from running automatically.
1

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question