Sysmon and File Deletion
A new version of Sysmon was released, with a new major feature: detection of file deletion (with deleted file preservation).
Mark Russinovich explains this in detail in the following video:
So a new event is recorded (ID 23: FileDelete) whenever a file is deleted, and a copy of the deleted file can be preserved inside an archive directory (per volume).
Sysmon will also detect file shredding. I wanted to test this, and of course, I used Sysinternals' own sdelete.
I used the following basic configuration (don't use this on production systems, this will archive all deleted files):
<Sysmon schemaversion="4.30">
<EventFiltering>
<FileDelete onmatch="exclude">
</FileDelete>
</EventFiltering>
</Sysmon>
With this command: Sysmon.exe -i config.xml -a sysmondelete
Here is the event for the deletion of file.txt (a copy of notepad.exe):
So the file shredding and deletion was detected and reported, but unfortunately, Sysmon did not detect the shredding early enough to be able to preserve the original file. The shredded file contains only 0x00 bytes, and was therefor not archived.
As Mark mentioned in his video, there might be circumstances where deleted files can not be archived. He used a custom tool to show this, so I also made my custom tool do reproduce his examples.
When my custom tool shredded a file byte per byte, Sysmon could not preserve the file prior to shredding. But when my tool shredded file.txt (e.g. notepad.exe) in blocks of 1MB (or smaller if the file itself is smaller than 1MB), then it worked:
The file shredding was detected, and a copy of the intact file was made:
The file deletion was also detected, but since this is now a file filled solely with 0x00 bytes, an archival copy was not made:
Update: A reader experienced problems with removable storage & Sysmon's file deletion preservation (archive folder is created on removable storage too, and kept open -> can not be ejected safely). Mark will address this issue with next update.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago