Knowledge base | best IT monitoring tools

In a Microsoft environment, by monitoring these elements precisely with Monitorpack, you will be able to detect the signs of a ransomware attack and react quickly to limit damage.

Your alerts from the Guard console

Here is a non-exhaustive table of elements allowing the detection of a ransomware attack, you can use part or all of these elements in order to obtain alarms indicating abnormal behavior. This will allow you to be alert and move forward in your investigations.

Information alerts

Action	Nom du script	Description	How	What

#	Performance counters	Instance	Rule	Value
1	LogicalDisk(*)\% Free Space	Each disk	<	20
2	Process(*)\IO Write Bytes/sec	Each disk	>	I/O spike

#	Windows processes	Process name	When	Condition
1	WMI Service	WmiPrvSE	Stopped	True

#	Windows services	Service name	When	Condition
1	Firewall Windows Defender	mpssvc	Stopped	True
2	Antivirus service Microsoft Defender	WinDefend	Stopped	True
3	Windows Backup	SDRSVC	Stopped	True
4	Microsoft Defender Basic Service	MDCoreSvc	Stopped	True
5	Volume Shadow Copy	Volume Shadow Copy	Stopped	True

#	Windows Socket	Socket name	Port	Value

#	Windows shares	Share name	Share	Value

#	Windows printers	Printer name	Port	Status

#	Description	Source	Log Name	Event	Level
1	Connection Failure	Microsoft-Windows-Security-Auditing	Security	4625	FailureAudit
2	Account creation	Microsoft-Windows-Security-Auditing	Security	4720	SuccessAudit
3	Password change	Microsoft-Windows-Security-Auditing	Security	4723	SuccessAudit
4	Password reset	Microsoft-Windows-Security-Auditing	Security	4724	SuccessAudit
5	Windows service installation	Service Control Manager	System	7045	Information
6	New User in Domain Admin	Microsoft-Windows-Security-Auditing	Security	4728	Information
7	New Process creation	Microsoft-Windows-Security-Auditing	Security	4688	Information

Analysis of your IT infrastructure

Detect ransomware and virus attacks

Your alerts from the Guard console

Information alerts