question

DamjanHajsek-6789 avatar image
0 Votes"
DamjanHajsek-6789 asked LimitlessTechnology-2700 answered

checking folder with audit

I have setup audit on one folder on win 10 which I want to check if domain admins or local admins browsing it or doing something in that folder. If that is a case than I get email. Problem is because I get now constantly emails every minute. that folder use user"system" copy.exe from network share to that folder.

Now I have setup audit for that folder for

type principal accesss inherited from applies to

success Administrators (Administrators domain\adminstrators) read&execute none This folder, subfolders and files

success local account and member of Administrator group Read&execute none This folder, subfolders and files

I have setup in task schedulerBasic Event task

Trigger When an even is Logged Security

Action Microsoft windows security auditing

Finish 4656

So when event 4656 is logged task scheduler start to send me an email.

But nobody is browsing or doing anything in that folder except system and copy.exe which copy files from and to a subfolder of that folder.

What did I do wrong?? I want only to start action sending mails when any domain administrator or local administrator browse, read or change that folder or subfolders and files.

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @DamjanHajsek-6789,

I don't find anything unusual in your settings, and your approach is correct to filter out SYSTEM and select groups or users. Verify here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder

Could it be that in fact there is no Administrator or local user operating in that folder? Have you tried to audit a newly created local user, add it to the Audit folder settings and force the operation (access, read, modify) and check again the events?

Best regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.