Windows.Events.SysmonArchiveMonitor

This artifact enables automatic management of the Sysmon archive folder.

FileDelete is a super usefuil capability offered by Sysmon enabling archive of deleted files. It is typically used to archive interesting files or to target collection during an active engagement.

Requrements: Exchange.Windows.Sysinternals.SysmonArchive


name: Windows.Events.SysmonArchiveMonitor
author: Matt Green - @mgreen27
description: |
   This artifact enables automatic management of the Sysmon archive folder.
   
   FileDelete is a super usefuil capability offered by Sysmon enabling archive 
   of deleted files. It is typically used to archive interesting files or to target 
   collection during an active engagement.
   
   Requrements: Exchange.Windows.Sysinternals.SysmonArchive

reference:
    - https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/file-delete.md
    - https://isc.sans.edu/diary/Sysmon+and+File+Deletion/26084
    - https://blog.nviso.eu/2022/06/30/enforcing-a-sysmon-archive-quota/


type: CLIENT_EVENT

parameters:
   - name: SysmonArchiveGlob
     description: Glob to target configured Sysmon archive folder contents.
     default: C:\Sysmon\*
   - name: ArchiveSize
     description: Desired size of archive in bytes. Default is ~1GB.
     default: 1000000000
     type: int64
   - name: CheckDelay
     description: Desired time to wait between checks. Default is 10 mins (600s).
     default: 600
     type: int64
     
     
sources:
  - query: |
      LET schedule = SELECT UTC.String AS Now
        FROM clock(period=CheckDelay)
        
      -- on each schedule run Windows.Sysinternals.SysmonArchive
      SELECT * FROM foreach(row=schedule, 
                query={
                    SELECT *
                    FROM Artifact.Exchange.Windows.Sysinternals.SysmonArchive(
                                        ArchiveSize=ArchiveSize,
                                        SysmonArchiveGlob=SysmonArchiveGlob,
                                        DeleteFiles=True,
                                        ShowAll=False)
                })