You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On version 14.1 of Sysmon the capability to log and block when a process is deleting a file by overwriting its file blocks. Events will be loggedusing **EventID 27**. This event type is found under schema version 4.83.
5
+
6
+
7
+
8
+
9
+
The minidriver inspect the action that is being taken to see if it is a file block overwrite and if the header of the file for the MZ DOS Executable header. Some common processes on system that perform actions that may generate some false positives are:
10
+
11
+
* svchost.exe
12
+
* dllhost.exe
13
+
14
+
Sysmon will not generate any alert on screen for the user once it takes the action.
15
+
16
+
17
+
### Event information
18
+
19
+
The file delete event fields are:
20
+
21
+
***RuleName**: Name of rule that triggered the event
22
+
23
+
***UtcTime**: Time in UTC when event was created
24
+
25
+
***ProcessGuid**: Process Guid of the process that overwrote the fileblocks for the file
26
+
27
+
***ProcessId**: Process ID used by the OS to identify the process that overwrote the fileblocks for the file.
28
+
29
+
***Image**: File path of the process that overwrote the fileblocks for the file
30
+
31
+
***TargetFilename**: Name of the file that is being deleted.
32
+
33
+
***Hashes**: Full hash of the file with the algorithms in the HashType field.
34
+
35
+
***IsExecutable**: If the file has a MZ header saying the file is an executable.
36
+
37
+
38
+
39
+
Here is a sample rule that removes some of thje false positives using full path and using a compound rule to make it harder to spoof by an attacker.
0 commit comments