There are various requirements like compliance, forensics, ransomware detection, other malware attack, monitoring user activities etc that need organizations to monitor file system activities like file deleted, moved, created etc. While working with windows operating system you might feel it is easy to monitor such by simple looking into corresponding events but there are no straightforward and coherent file activity events in the Windows event log.
Whenever such critical event occurs we would want an alert to be generated.
In this blog we will check out the case of file delete.
Why to monitor?
In case of ransomware attack you might want to know which files were encrypted. When files are encrypted it means there are multiple logs being generated. Let's look at the sequence of operation: first, existing files are deleted; second, those files are renamed or their extensions are changed… so new files are created. Windows logs this process of encryption as two distinct event.
Build an alert when critical files were deleted by any user.
How to monitor?
There are two important ways to monitor file delete activities
- Event id 4663. In this event look into accessList and accessMask. Simple query is quite simple and looks as below
event_id=4663 (accessList=%%1537 OR accessList=DELETE) accessMask=0x10000 - Correlate Event id 4663 and 4660. 4660 is event which gets logged when any object is deleted. But the drawback of this event is that it only gives information about certain object being deleted. Not the actual object that was deleted. But it will give an information of who deleted that object. However, we need full information regarding delete event for it to be useful. So what we can do is correlate 4660 with event id 4663 that have same handle id. Alert rule will take query as below
[event_id 4663 handle_id=*] join [event_id=4660 handle_id=*] on handle_id after the join you can easily find the object that was deleted and other required information
Note: 4660 is the only event that will give you delete object. It is not generated when you rename or move file/folder though delete event is generated. It is because those files are not actually deleted.
What to monitor?
timestamp, user name, file name, operation (create, read, modify, rename, delete, etc.), and a result (success or failure).
Log sample
{
"EventTime": "2017-07-25 01:08:22"
"Hostname": "meroadmin.changeme.com"
"Keywords": -9214364837600034816
"EventType": "AUDIT_SUCCESS"
"SeverityValue": 2
"Severity": "INFO"
"EventID": 4663
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 1
"Task": 12800
"OpcodeValue": 0
"RecordNumber": 717215
"ProcessID": 496
"ThreadID": 504
"Channel": "Security"
"Message": "An attempt was made to access an object."
"Category": "File System"
"Opcode": "Info"
"SubjectUserSid": "S-1-5-21-1541309266-3090300489-3544281362-500"
"SubjectUserName": "Administrator"
"SubjectDomainName": "CHANGEME"
"SubjectLogonId": "0x1e5a2a"
"ObjectServer": "Security"
"ObjectType": "File"
"ObjectName": "C:\\Program Files (x86)\\nxlog\\conf"
"HandleId": "0x1608"
"AccessList": "%%1537\r\n\t\t\t\t"
"AccessMask": "0x10000"
"ProcessName": "C:\\Windows\\explorer.exe"
"ResourceAttributes": "S:AI"
"EventReceivedTime": "2017-07-25 01:08:24"
"SourceModuleName": "in"
"SourceModuleType": "im_msvistalog"
}
No comments:
Post a Comment