In the blog article Defeating Ransomware with EventSentry & Auditing, you showed how to identify a potential user that represents unfavorable characteristics and allows you to disable their user account.
Is there a way to also use the same event 4663 to extract their workstation in turn kicking off a process to remotely shutdown their computer? I know the command: shutdown /s /m \\ComputerName /force
Concept is this:
User commits too many changes within specified timeframe, Eventsentry identifies too many 4663 events. Eventsentry disables that domain user account and forces a Shutdown of that users computer. This should halt the ransomware on the computer, and if the user powers on the computer, their account is disabled so they can not log back in.
We have other methods in place, such as FSRM, etc...but would love to add this to our toolbelt.
Thank you in advance.