Several Events not longer working in Sysmon 14.0?

Niklas Sjögren 41 Reputation points
2022-08-17T09:39:26.84+00:00

Started testing with the new Sysmon version (14.0)...
got the Evt 27 to work...
But,
It seems that some other evts stopped working...!?

Evt 26 (FileDeleteDetect) does not work anymore for me... nothing logs..

I also se less different Events compared to version 13.34

Any one else seeing this?

Using the correct schema versions during tests (4.82 for version 14.0, and 4.81 for version 13.34)

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,075 questions
0 comments No comments
{count} vote

Accepted answer
  1. Michael_N 961 Reputation points
    2022-11-17T19:46:52.403+00:00

    @Niklas Sjögren ,
    I too have done some testing on v14.12 and I actually think Sysmon is working correctly/as intended.

    If you delete a file from the GUI (explorer.exe) the file isn't actually deleted right away. It's just moved to the Recycle Bin. So no delete occurs until you empty the recycle bin.
    But if you delete the file via PowerShell.exe or cmd.exe the recycle bin is bypassed/not used. That's why you see the event from powershell.exe but not explorer.exe.

    Try deleting the file from the GUI/Explorer with SHIFT + DEL (to bypass the recycle bin) and I think you will find that it works (the event is logged).

    A bit unexpected maybe, but technically correct from an API-standpoint which Sysmon has.


7 additional answers

Sort by: Most helpful
  1. Mike 1 Reputation point
    2022-09-15T19:26:44.823+00:00

    I had the same issue with FileDeleteDetect events not being recorded. I had to roll back to 13.34.

    I'm glad I had a copy of the old version, because the old versions don't seem to be available from Microsoft and Microsoft has no listing of the SHA256 hashes of various versions to determine authenticity.


  2. Ralph Strong 1 Reputation point
    2022-09-27T06:27:04.33+00:00

    Same for me. The FileDeleteDetect event works under version 13.33 und doesn't work with 14.0. Does someone know a solution or workaround for this problem?

    0 comments No comments

  3. Niklas Sjögren 41 Reputation points
    2022-10-03T08:06:34.36+00:00

    Did some testing with version 14.1 and it has the same problem..
    Event 26 not logging anything...
    same config for evt 26 works fine in version 13.34

    But my initial fear that several Events were missing seems incorrect, only Evt 26 fails in my tests..

    But, new Event 28 works as described.... :-)

    0 comments No comments

  4. François Valcourt 1 Reputation point
    2022-10-21T19:18:47.097+00:00

    Same problem here with Sysmon 14.1. No events logged for Event 26.

    0 comments No comments