Question about: Defeating Ransomware with EventSentry & Auditing

In the blog article Defeating Ransomware with EventSentry & Auditing, you showed how to identify a potential user that represents unfavorable characteristics and allows you to disable their user account.

Is there a way to also use the same event 4663 to extract their workstation in turn kicking off a process to remotely shutdown their computer? I know the command: shutdown /s /m \\ComputerName /force

Concept is this:
User commits too many changes within specified timeframe, Eventsentry identifies too many 4663 events. Eventsentry disables that domain user account and forces a Shutdown of that users computer. This should halt the ransomware on the computer, and if the user powers on the computer, their account is disabled so they can not log back in.

We have other methods in place, such as FSRM, etc...but would love to add this to our toolbelt.

Thank you in advance.

Comments

  • Since the 4663 event only contains the name of the user who accessed the file, the 4663 event itself is unfortunately insufficient in determining from which computer the user logged on to.

    You can get this information from the EventSentry Web Reports if you are also monitoring the workstations with EventSentry and utilize the Console Logon Tracking feature. Having to monitor the workstation is mostly due to how Windows logs events.

    Since the EventSentry Web Reports web reports offer a JSON (and other) APIs, you can simply execute a pre-defined query where you pass the username, and the JSON response will contain the host name from which the user logged on to in the "computer" field.

    For example, the following URL will show you from which computer DEMO\bsmith is logged on from:

    http://demo.eventsentry.com/logons/json?search.group=&search.order=&search.limit=25&search.type=detailed&search.sort=desc&search.dateRange=Last+24+hours&search.query=+user:DEMO\bsmith+&search.page=1

    The string DEMO\bsmith was escaped to %3ADEMO%5Cbsmith

    The response looks like this:

    {
    "results" : [
    {
    "logonType": "Console Cached",
    "user": "DEMO\\bsmith",
    "login": "2016-08-16 12:59:26",
    "port": "0",
    "type": "WKS",
    "duration": "2h 26m 32s",
    "remoteIP": "127.0.0.1",
    "computer": "DESKTOP01",
    "logout": "null",
    "logonID": "0x16ef0",
    "admin": "0",
    "group": "Workstations"
    }
    ]
    }

    In this case the user logged on from DESKTOP01. You way need to specify a different user, our live demo changes these parameters regularly.

    So you would need to write a script which is triggered by a threshold event and basically extracts the username from the JSON response. You can then pass this host name to the shutdown command.

    We're actually planning on posting another follow-up blog post with the script source code in August or early September.

    I hope this makes sense, let me know if you have any questions please.
  • Charles,

    We published a blog post which outlines exactly how to remotely shut down a workstation after an infection has been suspected:

    http://www.eventsentry.com/blog/2016/09/defeating-ransomware-with-eventsentry-remediation.html
  • edited September 2016
    Hi Charles,
    I've followed the instruction of http://www.eventsentry.com/blog/2016/09/defeating-ransomware-with-eventsentry-remediation.html

    The Script works by starting it from commandline, but failed by starting fom "Action" of the Evensentry Agent on the Server by logging SUCCESS in the EventLog.
    Shutdown wasn't executed on remote host.

    ---------------------------------------------------------
    Most recent activity from user "xxx" was from host "\\x.x.x.x"
    Issued shutdown command to remote host.
    ---------------------------------------------------------
    Please help.
  • Thorsten,

    I suspect that it's not working because of permission issues. Could you please try to (at least temporarily) change the account the EventSentry service is running under to an account which has administrative privileges on the remote host you intend to shut down? An account which is part of the Domain Admins group would be best for this test. Then, please restart the EventSentry service and see if that works correctly. We can then go from there.

    Thank you.
Sign In or Register to comment.