[sysmon] can i logging deleted all file through sysmon?

Question

Hi

I'm Trying logging deleted all file through sysmon.

I used this sysmon config xml and latest sysmon.exe

--------------------
sysmon config------------------------
<Sysmon schemaversion="4.70">
<DnsLookup>False</DnsLookup>
<EventFiltering>
<FileDeleteDetected onmatch="exclude">
</FileDeleteDetected>
</EventFiltering>
</Sysmon>

------------------------------------------------------------

I think If deleted any file, logging event id 26 include deleted file.

But, event ID 26 not logging after delete any path directory, file.

Only the following two are logged repeatedly.

I don want this target file name

how can I logging deleted all file through sysmon?

Answer 1

Hi!

Evt 26 needs config to start logging.. (default = none)

Try this as include rule
<RuleGroup name="Evt_26_inc" groupRelation="or">
<FileDeleteDetected onmatch="include">
<TargetFilename condition="contains">\</TargetFilename>
</FileDeleteDetected>
</RuleGroup>

You will need to exclude whatever you do not like to see..

ex.
<RuleGroup name="Evt_26_exc" groupRelation="or">
<FileDeleteDetected onmatch="exclude">
<Rule groupRelation="and">
<Image condition="begin with">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Image>
<TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp__PSScriptPolicyTest</TargetFilename>
</Rule>
</FileDeleteDetected>
</RuleGroup>

Answer 2

Hello @holollollol

You may need to run a Startup task to run sysmon with the system, like: > Sysmon.exe -i config.xml -a sysmondelete

Other usage of Sysmon: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Hope this helps with your query,

--------------

--If the reply is helpful, please Upvote and Accept as answer--