I use Change Auditor v6.9.2.
Regarding common attacks on Active Directory(AD), I would like to know when a Shadow Copy(SC) is created/deleted on my Domain Controller(DC).A backup, exploiting SC, is realize every days on my DC so I can check results of my configuration every days.
Actually I use "Exclude Account" modules to Auditing my DC as you can see below :
I activated "Shadow Copy Created/Deleted/Rolled Back" in "Auditing/Audit Events" menu :
This configuration give me alerts on SC Deleted but never on SC Created.
I tried to add the File System auditing module but it didn't works better and SC Deleted events disappeared when File System module is activate.
Do you know how to properly auditing SC Activity ?Did I miss an option or misunderstanding something about SC ?
Thanks for your help.