source="WinEventLog:Security" AND CommandLine="wmic shadowcopy delete"AND EventCode="4688" AND ParentProcessName="C:\\Windows\\System32\\cmd.exe")
Short prescription
Old but not obsolete way to detect method if someone is trying to remove shadow copy
Enable Command Line Auditing
go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking and open the Audit Process Creation setting, then check the Configure the following audit events and Success checkboxes.
Command line process creation
go to Computer Configuration > Administrative Templates > System > Audit Process Creation, click the Include command line in process creation event setting, then select the Enabled radio button.
Restart OS
Comments