Sysmon v11.0
jeff-cook opened this issue · 1 comments
jeff-cook commented
Sysmon v11.0 has been released.
It creates a new event type 23 File Delete.
I'm not sure what else has changed with this version.
| Field | Description |
|---|---|
| UtcTime | Time in UTC when event was created |
| ProcessGuid | Process Guid of the process that made the delete |
| ProcessId | Process ID of the process that made the delete |
| User | User that created the |
| Image | File path of the process that made the |
| TargetFilename | Name of the file that was deleted |
| Hashes | Full hash of the file with the algorithms in the HashType field |
| IsExecutable | Boolean Value if deleted file was executable |
| Archived | Boolean Value if deleted file was archived in the ArchiveDirectory folder based on the CopyOnDelete* settings |
darkoperator commented
working on a update for it, it also controlled via the registry for specifying the folders. There is the permission structure, also deploying it to machines to see what best practices could be implemented for it. There is a bug also in v11 where process creation is not logged in Windows 2016 and there is a weird parsing bug I'm trying to confirm it is not related also to it. Want to make sure I have all the info I can before a new release next week