top of page
  • Writer's picturehunter

SPLUNK PILL 101-#AA00-Possible ransomware

source="WinEventLog:Security" AND CommandLine="wmic shadowcopy delete"AND EventCode="4688" AND ParentProcessName="C:\\Windows\\System32\\cmd.exe")

Short prescription

Old but not obsolete way to detect method if someone is trying to remove shadow copy

Enable Command Line Auditing

go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking and open the Audit Process Creation setting, then check the Configure the following audit events and Success checkboxes.

Command line process creation

go to Computer Configuration > Administrative Templates > System > Audit Process Creation, click the Include command line in process creation event setting, then select the Enabled radio button.

Restart OS

42 views0 comments

Recent Posts

See All


Die Kommentarfunktion wurde abgeschaltet.
bottom of page