top of page
  • Writer's picturehunter

SPLUNK PILL 101-#AA00-Possible ransomware




source="WinEventLog:Security" AND CommandLine="wmic shadowcopy delete"AND EventCode="4688" AND ParentProcessName="C:\\Windows\\System32\\cmd.exe")


Short prescription


Old but not obsolete way to detect method if someone is trying to remove shadow copy


Enable Command Line Auditing


go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking and open the Audit Process Creation setting, then check the Configure the following audit events and Success checkboxes.



Command line process creation


go to Computer Configuration > Administrative Templates > System > Audit Process Creation, click the Include command line in process creation event setting, then select the Enabled radio button.


Restart OS



38 views0 comments

Recent Posts

See All
bottom of page