If configured, Sysmon EID 23: FileDelete enables archiving file deletes on disk. The challenges of this configuration is management of the archive folder which can grow to be significant size and use up disk space.
This artifact enables management of the archive, listing files and removing old files over a configured maximum.
For monitoring: Use in combination with Windows.Events.SysmonArchive
name: Windows.Sysinternals.SysmonArchive
author: Matt Green - @mgreen27
description: |
If configured, Sysmon EID 23: FileDelete enables archiving file deletes on
disk. The challenges of this configuration is management of the archive
folder which can grow to be significant size and use up disk space.
This artifact enables management of the archive, listing files and removing
old files over a configured maximum.
For monitoring: Use in combination with Windows.Events.SysmonArchive
reference:
- https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/file-delete.md
- https://isc.sans.edu/diary/Sysmon+and+File+Deletion/26084
parameters:
- name: SysmonArchiveGlob
description: Glob to target configured Sysmon archive folder contents.
default: C:\Sysmon\*
- name: ArchiveSize
description: Desired size of archive in bytes. Default is ~1GB.
default: 1000000000
type: int64
- name: DeleteFiles
description: When selected will delete older files outside configured archive size.
type: bool
- name: ShowAll
description: When selected will show all files in Sysmon archive folder.
type: bool
sources:
- query: |
LET files = SELECT Ctime,OSPath,Size
FROM glob(globs=SysmonArchiveGlob,accessor='ntfs')
WHERE NOT IsDir AND NOT IsLink
ORDER BY Ctime DESC
LET calc_sum = SELECT *, sum(item=Size) as TotalSize
FROM files
SELECT Ctime, OSPath,Size,TotalSize,
if(condition= TotalSize > ArchiveSize,
then= if(condition= DeleteFiles, then=rm(filename=OSPath), else='To delete'),
else= 'Not to delete') as Delete
FROM calc_sum
WHERE if(condition= ShowAll,
then= TRUE,
else= TotalSize > ArchiveSize)