locked
Sysmon - problem with file deletion RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    In the last days I started using sysmon for tracking file deletion and creation. I made a simple configuration following steps indicated by Mark Russinovich in the Sysinternals April 2020 Update (https://youtu.be/_MUP4tgdM7s).

    I tested it and I noticed two things:

    • on one pc Win10 Pro (joined to domain) creations and deletions work pretty well, but empty file deletions are not tracked (such as empty text files)
    • while on another pc running Win10 Pro (not joined) with the same Sysmon version, file deletions are tracked only if made using powershell or cmd (and not explorer)

    There exists causes that can justify such behaviour?

    Config

    <Sysmon schemaversion="4.40">
    <HashAlgorithms>MD5,sha256</HashAlgorithms>
    <DnsLookup>False</DnsLookup>
    <ArchiveDirectory>FileDeleted</ArchiveDirectory>
    <EventFiltering>
        <RuleGroup name="FileDelete" groupRelation="or">
            <FileDelete onmatch="include">
                <TargetFilename condition="contains">\Desktop\</TargetFilename>
            </FileDelete>
        </RuleGroup>
        <RuleGroup name="FileCreate" groupRelation="or">
            <FileCreate onmatch="include">
                <TargetFilename condition="contains">\Desktop\</TargetFilename>
            </FileCreate>
        </RuleGroup>
        ...
    </EventFiltering>
</Sysmon>

    where the three dots contain the deactivation of other rules (ImageLoad, DriverLoad, ProcessTerminate, ...).

    Wednesday, November 11, 2020 4:24 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Can you reproduce this problem with the most latest version of sysmon (v12.0.2)?
    Thursday, November 12, 2020 12:38 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Yes, I'm already using latest version
    Friday, November 13, 2020 9:06 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    If I remember correctly from the tool description, when you delete a file, sysmon creates an hash of the content in order to uniquely identify the file.. I believe that in the case of 0 length file this may fail and so the deletion cannot be tracked...

    For the other question I need to repro the problem with your config file.. may be there is some filtering going on..

    Can you share the whole config file?

    Thanks

    -mario

    Sunday, November 15, 2020 8:48 AM
  • Question
    Sign in to vote
    0
    Sign in to vote 
    <Sysmon schemaversion="4.40">
	<HashAlgorithms>MD5,sha256</HashAlgorithms>
	<DnsLookup>False</DnsLookup>
	<ArchiveDirectory>FileDeleted</ArchiveDirectory>
    <EventFiltering>
		<RuleGroup name="FileDelete" groupRelation="or">
			<FileDelete onmatch="include">
				<TargetFilename condition="contains">\Desktop\</TargetFilename>
			</FileDelete>
		</RuleGroup>
		<RuleGroup name="FileCreate" groupRelation="or">
			<FileCreate onmatch="include">
				<TargetFilename condition="contains">\Desktop\</TargetFilename>
			</FileCreate>
		</RuleGroup>
		<RuleGroup name="ImageLoad" groupRelation="or">
			<ImageLoad onmatch="include" />
		</RuleGroup>
		<RuleGroup name="DriverLoad" groupRelation="or">
			<DriverLoad onmatch="include" />
		</RuleGroup>
		<RuleGroup name="ProcessTerminate" groupRelation="or">
			<ProcessTerminate onmatch="include" />
		</RuleGroup>
		<RuleGroup name="NetworkConnect" groupRelation="or">
			<NetworkConnect onmatch="include" />
		</RuleGroup>
		<RuleGroup name="FileCreateTime" groupRelation="or">
			<FileCreateTime onmatch="include" />
		</RuleGroup>
		<RuleGroup name="ProcessCreate" groupRelation="or">
			<ProcessCreate onmatch="include">
				<Image condition="contains">notepad</Image>
			</ProcessCreate>
		</RuleGroup>
		<RuleGroup name="RawAccessRead" groupRelation="or">
			<RawAccessRead onmatch="include" />
		</RuleGroup>
		<RuleGroup name="ProcessAccess" groupRelation="or">
			<ProcessAccess onmatch="include" />
		</RuleGroup>
		<RuleGroup name="CreateRemoteThread" groupRelation="or">
			<CreateRemoteThread onmatch="include" />
		</RuleGroup>
		<RuleGroup name="RegistryEvent" groupRelation="or">
			<RegistryEvent  onmatch="include" />
		</RuleGroup>
		<RuleGroup name="FileCreateStreamHash" groupRelation="or">
			<FileCreateStreamHash  onmatch="include" />
		</RuleGroup>
		<RuleGroup name="PipeEvent" groupRelation="or">
			<PipeEvent  onmatch="include" />
		</RuleGroup>
		<RuleGroup name="WmiEvent" groupRelation="or">
			<WmiEvent onmatch="include" />
		</RuleGroup>
		<RuleGroup name="DnsQuery" groupRelation="or">
			<DnsQuery onmatch="include" />
		</RuleGroup>
    </EventFiltering>
</Sysmon>
    This is the config I'm using on both machines.
    Friday, November 27, 2020 1:31 PM