Section 5.5: Defensive Countermeasures Flashcards

1
Q

How can I increase the space to store more snapshots?

A

Use the vssadmin.exe tool and resize the amount of space.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What can I do to create more snapshots?

A

Use scheduled tasks to make more. Weekly would be preferred.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which executables should be monitored for suspicious activity? Why are they important?

A

fsutil, vssadmin, wmic shadowcopy, & win32_shadowcopy. These tools can be used to change the size of journals or VSS files as well as delete them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How can I resize the USNJournal? What is a good size for a Windows server?

A

Use “fsutil usn queryjournal <volumne>". A good size would be around 256 MB. That can last about a week.</volumne>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Best way to maintain visibility?

A

Log everything and forward it to a secure server. It is also important to setup a hearbeat monitor to check for absence of forwarding events within a certain timeframe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly