• hunter

SPLUNK PILL 101-#AA00-Possible ransomware




source="WinEventLog:Security" AND CommandLine="wmic shadowcopy delete"AND EventCode="4688" AND ParentProcessName="C:\\Windows\\System32\\cmd.exe")


Short prescription


Old but not obsolete way to detect method if someone is trying to remove shadow copy


Enable Command Line Auditing


go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking and open the Audit Process Creation setting, then check the Configure the following audit events and Success checkboxes.



Command line process creation


go to Computer Configuration > Administrative Templates > System > Audit Process Creation, click the Include command line in process creation event setting, then select the Enabled radio button.


Restart OS



23 views0 comments

Recent Posts

See All