question

holollollol-8511 avatar image
0 Votes"
holollollol-8511 asked holollollol-8511 edited

[sysmon] can i logging deleted all file through sysmon?

Hi

I'm Trying logging deleted all file through sysmon.

I used this sysmon config xml and latest sysmon.exe
--------------------sysmon config------------------------
<Sysmon schemaversion="4.70">
<DnsLookup>False</DnsLookup>
<EventFiltering>
<FileDeleteDetected onmatch="exclude">
</FileDeleteDetected>
</EventFiltering>
</Sysmon>


I think If deleted any file, logging event id 26 include deleted file.

But, event ID 26 not logging after delete any path directory, file.

Only the following two are logged repeatedly.
138453-26.png



I don want this target file name

how can I logging deleted all file through sysmon?

windows-serverwindows-server-2019windows-server-2016windows-server-2012windows-sysinternals-sysmon
26.png (111.9 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

57394135 avatar image
0 Votes"
57394135 answered holollollol-8511 edited

Hi!

Evt 26 needs config to start logging.. (default = none)

Try this as include rule
<RuleGroup name="Evt_26_inc" groupRelation="or">
<FileDeleteDetected onmatch="include">
<TargetFilename condition="contains">\</TargetFilename>
</FileDeleteDetected>
</RuleGroup>

You will need to exclude whatever you do not like to see..

ex.
<RuleGroup name="Evt_26_exc" groupRelation="or">
<FileDeleteDetected onmatch="exclude">
<Rule groupRelation="and">
<Image condition="begin with">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Image>
<TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp__PSScriptPolicyTest</TargetFilename>
</Rule>
</FileDeleteDetected>
</RuleGroup>

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

holollollol-8511 avatar image holollollol-8511 ·

Thank you for your answer.

I used your config

<RuleGroup name="Evt_26_inc" groupRelation="or">
<FileDeleteDetected onmatch="include">
<TargetFilename condition="contains">\</TargetFilename>
</FileDeleteDetected>
</RuleGroup>


but, I only got logs similar to the images I posted.

for example, I want to log deleted C:\test.txt If I delete C:\test.txt.

Thanks again for your reply.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @holollollol-8511

You may need to run a Startup task to run sysmon with the system, like: > Sysmon.exe -i config.xml -a sysmondelete

Other usage of Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Hope this helps with your query,

--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.