FileDeleteDetected
Sysmon 13.10 — FileDeleteDetected
April 21, 2021

Olaf Hartong

The Sysinternals team has released a new version of Sysmon. This brings the version number to 13.10 and raises the schema to 4.60.

To make sure the release is actually generating all event types as expected, which in the past has not always been the case prompted me to create a pipeline that validates the functionality of the new binary and publishes its results to Sysmon works. The output of the latest build shows all events to be generated.

FileDeleteDetected

The new event type FileDeleteDetected gets the Event ID 26. This event is very similar to the FileDelete (23) event with one big difference: this new event will not intercept and write deleted files to the configured Archive Directory, but the generated events in the EventLog will contain nearly the same information.

Event ID 23 and Event ID 26 side by side.

As you can see from the above screenshot the information is almost identical — with the exception of the Archived field. One of the immediately apparent benefits of this new event type is obviously that it will not clog up the system and fill the hard drive.

You could pose the question why this warranted a new event type. From my view this is primarily to avoid confusion whether archiving is on or not; and therefore a lot easier to configure and to quickly enable for specific files/folders whenever there is a good reason to do this. You could even build a SOAR playbook to do this in case of certain alerts. The chance of configuration errors due to confusion is likely to be less than in the case of having to enable/disable archiving for individual config lines on the original event. Also, the new Event ID 26 provides an opportunity to capture additional malicious behavior that earlier was too complicated to record due to the potential filling up of the disk.

The configuration of the new event type works exactly the same way as the FileDelete event described in this blog post. The only distinction obviously is the event name is FileDeleteDetected and the archive directory does not need to be specified.

A very basic start to a configuration for the new event type could be:

<FileDeleteDetected onmatch="exclude">
<User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
<Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
</FileDeleteDetected>

Additional noteworthy improvements

Sysmon also has a new XML parser that was introduced in version 13.02, eagle-eyed users might already have spotted it there.

New XML parser visible in v13.02.

The Sysinternals team put a lot of effort in making sure the way the new parser deals with the rule logic order has not changed, as described by Carlos Perez in the excellent community guide.

With the new parser there also is a bit more verbose output upon loading a new configuration. There is mention of the Byte-Order-Mark and the file format. The Byte-Order-Mark (or BOM) is a special marker added at the very beginning of a Unicode file encoded in UTF-8, UTF-16 or UTF-32. It is used to indicate whether the file uses the big-endian or little-endian byte order. The BOM is mandatory for UTF-16 and UTF-32, but it is optional for UTF-8.

Additionally, the new parser provides somewhat more descriptive and verbose error outputs when loading a configuration that has mistakes or errors in it.

Enriched error handling in v13.10.

One of the issues that also has been addressed is where the ClipboardChange event would still write files to disk in case the <CaptureClipboard /> was set in the root of the configuration, but nothing was configured to be logged on the EventFiltering section of the configuration.

Knowledge center

Other articles

FalconHound, attack path management for blue teams

FalconHound, attack path management for blue teams

[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...

Together. Secure. Today.

Stay in the loop and sign up to our newsletter

FalconForce realizes ambitions by working closely with its customers in a methodical manner, improving their security in the digital domain.

Energieweg 3
3542 DZ Utrecht
The Netherlands

FalconForce B.V.
[email protected]
(+31) 85 044 93 34

KVK 76682307
BTW NL860745314B01