• hunter

SPLUNK PILL 101-#AA00-Possible ransomware

source="WinEventLog:Security" AND CommandLine="wmic shadowcopy delete"AND EventCode="4688" AND ParentProcessName="C:\\Windows\\System32\\cmd.exe")

Short prescription

Old but not obsolete way to detect method if someone is trying to remove shadow copy

Enable Command Line Auditing

go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking and open the Audit Process Creation setting, then check the Configure the following audit events and Success checkboxes.

Command line process creation

go to Computer Configuration > Administrative Templates > System > Audit Process Creation, click the Include command line in process creation event setting, then select the Enabled radio button.

Restart OS

31 views0 comments

Recent Posts

See All