Get in detailed here about Command line process auditing: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
Enable “Audit object access” audit policy. To enable it :
Run gpedit.msc, select the local computer policy then Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy: Audit object access → Define :Success and Failures
Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
Audit File System → Define: Success and Failures
Audit Handle Manipulation → Define: Success and Failures.
- Navigate to the folder, right-click it and select "Properties" Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button:
Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Delete subfolders and files" and "Delete".
Else, try - Lepide File Server Auditor which helps to track every critical changes in real time.