There are various requirements like compliance, forensics, ransomware detection, other malware attack, monitoring user activities etc that need organizations to monitor file system activities like file deleted, moved, created etc. While working with windows operating system you might feel it is easy to monitor such by simple looking into corresponding events but there are no straightforward and coherent file activity events in the Windows event log.
In this blog we will check out the case of file moved i.e. file cut paste activity.
Why to monitor?
- In case of ransomware attack you might want to know which files were encrypted. When files are encrypted it means there are multiple logs being generated. Let's look at the sequence of operation: first, existing files are deleted; second, those files are renamed or their extensions are changed… so new files are created. Windows logs this process of encryption as two distinct event.
- Build an alert when critical files are moved by any user.
How to monitor?
Whenever certain file/folder is moved two events are generated. First will be file delete followed by file/folder create in new location.
Event id 4663. Look into ObjectType, HandleId, ObjectName, AccessList and AccessMask.
ObjectType=File for file and folder activities
- First part: File is deleted in original place
eventId=4663 (accessList=%%1537 OR accessList=DELETE) accessMask=0x10000 objectType=File handleId=*
- Second part: Same File is created in destination
eventId=4663 (accessList="WriteData (or AddFile)" OR accessList=%%4417) accessMask=0x2 objectType=File handleId=*
- Now we need to join these two case to find file/folder that was moved. Join condition; look for same handleId, fileName and different path
[eventId=4663 (accessList=%%1537 OR accessList=DELETE) accessMask=0x10000 objectType=File handleId=*] as fileDelete followed by [eventId=4663 (accessList="WriteData (or AddFile)" OR accessList=%%4417) accessMask=0x2 objectType=File handleId=*] as fileCreate on fileDelete.handleId=fileCreate.handleId and fileCreate.fileName=fileDelete.fileName | search for fileDelete.path!=fileCreate.path
Note: Extract path and fileName from objectName using regex
(?P<path>.*)\(?P<fileName>.*)
What to monitor?
timestamp, user name, file name, operation (create, read, modify, rename, delete, etc.), and a result (success or failure).
He wrote an interesting article that I love to read. I appreciate the time and effort you put into this. Keep giving similar information. Best Kohi Clicking Test 2022 and be the subject of my latest article. Visit Kohi Click Test - CPS Test Kohi [UPDATED] for more information.
ReplyDelete