Wednesday, September 4, 2019

Audit File Rename in Windows

There are various requirements like compliance, forensics, ransomware detection, other malware attack, monitoring user activities etc that need organizations to monitor file system activities like file deleted, moved, created etc. While working with windows operating system you might feel it is easy to monitor such by simple looking into corresponding events but there are no straightforward and coherent file activity events in the Windows event log.

In this blog we will check out the case of file moved i.e. file cut paste activity.

Why to monitor?

  1. In case of ransomware attack you might want to know which files were encrypted. When files are encrypted it means there are multiple logs being generated. Let's look at the sequence of operation: first, existing files are deleted; second, those files are renamed or their extensions are changed… so new files are created. Windows logs this process of encryption as two distinct event.
  2. Build an alert when critical files are renamed by any user.


How to monitor?
Whenever certain file/folder is renamed two events are generated. First will be file delete followed by file/folder create in same location.
Event id 4663. Look into ObjectType, HandleId, ObjectName, AccessList and AccessMask.
ObjectType=File for file and folder activities
  • First part: File is deleted in original place
eventId=4663 (accessList=%%1537 OR accessList=DELETE) accessMask=0x10000 objectType=File handleId=*
  • Second part: Same new file is created in same location
eventId=4663 (accessList="WriteData (or AddFile)" OR accessList=%%4417) accessMask=0x2 objectType=File handleId=*
  • Now we need to join these two cases to find file/folder that was renamed. Condition for join; look for same processId and filePath. In this case handle id would not be same so we cannot use handleid for correlation here. Also, please note that this may result is some false positives.
[eventId=4663 (accessList=%%1537 OR accessList=DELETE) accessMask=0x10000 objectType=File handleId=*] as fileDelete followed by [eventId=4663 (accessList="WriteData (or AddFile)" OR accessList=%%4417) accessMask=0x2 objectType=File handleId=*] as fileCreate on fileDelete.processId=fileCreate.processId and fileCreate.filePath=fileDelete.filePath

Note: Extract path and fileName from objectName using regex
(?P<filePath>.*)\(?P<fileName>.*)

What to monitor?

timestamp, user name, file name, operation (renamed), and a result (success or failure).
at
Labels: , ,

1 comment:

  1. AnonymousApril 7, 2022 at 3:11 AM

    Myclassnotes: Audit File Rename In Windows >>>>> Download Now

    >>>>> Download Full

    Myclassnotes: Audit File Rename In Windows >>>>> Download LINK

    >>>>> Download Now

    Myclassnotes: Audit File Rename In Windows >>>>> Download Full

    >>>>> Download LINK tQ

    ReplyDelete

Subscribe to: Post Comments (Atom)