Solved

Windows Server 2008 R2 and 2012 R2 event log for vssadmin command execution ?

Posted on 2016-09-07
4
25 Views
Last Modified: 2016-10-18
Hi All,

On Windows systems, in both targeted and mass distribution attacks, we often see the vssadmin tool being used to remove the volume shadow copies from the system.

For instance, CryptoLocker and Locky will execute a command to delete all of the volume shadow copies from the system.

I'm pretty sure that there are event log entries that are created when this happens, so triggerable events can be detected by a host-based product.

So I wonder what's the Event ID to be monitored in the server ?
Is it possible to send the email once this event is triggered in the server ?

Thanks in advance.
0
Comment
  • 2
4 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 41787438
The strategy to monitor behavior is not recommendable. Take proactive measures instead, configure applocker or software restriction policies.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41787445
McKnife,

Does this means configuring AppLocker like in: https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

To prevent any script to run in the %APPDATA% folder and the %TEMP% folder on your workstation / File Server ?
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 41787452
That blogger has no deeper understanding of the matter. MS themselves did recommend not to use the default rules, for example, in fact, they strongly vote against it.

Applocker should be used to whitelist known software, the rest, including all ransomware will be prevented from running automatically.
1

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
An article on effective troubleshooting
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question