Section 5.5: Defensive Countermeasures Flashcards
How can I increase the space to store more snapshots?
Use the vssadmin.exe tool and resize the amount of space.
What can I do to create more snapshots?
Use scheduled tasks to make more. Weekly would be preferred.
Which executables should be monitored for suspicious activity? Why are they important?
fsutil, vssadmin, wmic shadowcopy, & win32_shadowcopy. These tools can be used to change the size of journals or VSS files as well as delete them.
How can I resize the USNJournal? What is a good size for a Windows server?
Use “fsutil usn queryjournal <volumne>". A good size would be around 256 MB. That can last about a week.</volumne>
Best way to maintain visibility?
Log everything and forward it to a secure server. It is also important to setup a hearbeat monitor to check for absence of forwarding events within a certain timeframe.
