In our previous blog post, we discussed Sysmon version 13's Event ID 25, which introduced a very handy way of detecting process tampering techniques, particularly process hollowing and process herpaderping in the network. In an update to the Sysmon Event ID 23 (File Deleted) (which was released in an earlier Sysmon package) Sysmon internals has also released a new event ID, i.e., Sysmon Event ID 26 (File Delete Detected) to track file deletions.
In this blog post, we'll focus on understanding Sysmon version 13's Event ID 26 We 'll also cover how it differs from Event ID 23, and how it can help you understand file deletions.
Earlier, any deleted file was automatically saved to a configured archive directory (C:\Sysmon by default). Archiving deleted files was automatically enabled, and a deleted file event was created under Event ID 23 when you had correctly configured the Sysmon package. The issue with archiving is that a lot of admins didn't want their disk space to be used up by unwanted archived files. The earlier Sysmon releases didn't allow the disabling of file archival. The new Sysmon versions have rectified this issue, and this is why file deletions are treated a little differently under Event ID 26. Sysmon Event ID 26 is logged when the archive directory is disabled and a file is deleted without being archived.
When viewing Event ID 23 in the Event Viewer, you'll notice that the Archived attribute is set as "True", but when Event ID 26 is viewed, the attribute is found missing entirely. Apart from the Archived field, the other information about the deleted file remains the same. With these new separate event IDs at play, you can automate the archival of specific files and folders while disabling it for others, and track them as separate event IDs that are related to file deletions.
<FileDeleteDetected onmatch="exclude"> <User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User> <Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image> <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image> </FileDeleteDetected>
In your Windows Event Viewer, you can view the following fields related to Event ID 26
| Field | Description |
|---|---|
| UtcTime | Time in Coordinated Universal Time (UTC) when event was created. |
| ProcessGuid | The GUID of the process that deleted the file. |
| ProcessId | The ID used by the OS to identify the process that deleted the file. |
| User | Name of the account that deleted the file. It usually contains the domain name and username. |
| Image | File path of the process that deleted the file. |
| TargetFilename | The path of the deleted file. |
| Hashes | The hashes of the file types set in the config. This also determines the stored filename. |
| IsExecutable | Boolean statement whether the file is a Portable Executable file. |
You can build a custom report for Sysmon Event ID 26 in Log360, as shown below
Custom report created to track file deletion for Sysmon Event ID 26.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.
