question

AlbertoGonzalez-3879 avatar image
0 Votes"
AlbertoGonzalez-3879 asked AlbertoGonzalez-3879 answered

Windows Audit: no security filesystem audit event for folder creation when it is created from command line

I am using windows native audit on windows 10 and windows server to detect file/folder creation, modify, rename, delete, etc and the windows audit is not something reliable although i setup everyone and create folders audit permissions it doesnt report anything. How can i detect a folder is created from windows audit?

  1. There is not any event in security events when a folder is created from powershell/cmd. ( mkdir folder )

  2. When the folder is created from explorer.exe there is an event 4663 with accessmask AppendData (or AddSubdirectory or CreatePipeInstance) of the parent folder but doesnt tell you what is the folder created.

How is it possible windows audit cant detect these events even if i have setup folder auditing to everyone and to all permissions (create folders, etc), what is the right way to audit folder creation?





not-supported
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Windows security is not currently supported here on QnA. They're actively answering question in dedicated forums here.


https://social.technet.microsoft.com/Forums/en-US/home?forum=win10itprosecurity



--please don't forget to Accept as answer if the reply is helpful--


Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter Management


Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShaneTownsend-6638 avatar image
0 Votes"
ShaneTownsend-6638 answered

Get in detailed here about Command line process auditing: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

Enable “Audit object access” audit policy. To enable it :

Run gpedit.msc, select the local computer policy then Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy: Audit object access → Define :Success and Failures

Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:

Audit File System → Define: Success and Failures

Audit Handle Manipulation → Define: Success and Failures.

  1. Navigate to the folder, right-click it and select "Properties" Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button:

Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Delete subfolders and files" and "Delete".

Else, try - Lepide File Server Auditor which helps to track every critical changes in real time.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlbertoGonzalez-3879 avatar image
0 Votes"
AlbertoGonzalez-3879 answered

Thanks but logging commands doesn't solve my cases, if the folder is created from explorer or .net application api audit doesnt show anything, same for file renames, any way to capture file renames and creates using the standard audit? why is something so basic not included in windows?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.