Hunt for "Delete specific folder"

Question

Hi,&nbsp;i have a strange behavior - one some of my servers the Firewall Log folder is gone. It happens to Win2019 server - maybe related to that i accessed the folder - to get the log file and added the admin user to the NTFS table.But it should not happen - as it seems like a kind of "attack". So i am trying to find out when it happend and which process did this.I tried to create a folder at my client - and then search the timeline - but nothin appears. Do i need to setup NTFS auditing so that i can hunt for it - or is it just impossible with Defender?&nbsp;BRStephan&nbsp;&nbsp;

jbmartin6 · Answer

you said you searched the timeline, did you also check the DeviceFileEvents table?

jbmartin6 · Answer

Looking at my org's data, I also don't see every FileDeleted event there, perhaps by default it only reports on specific folders due to event volume concerns. I didn't find anything online about possible limits on data in DeviceFileEvents, though.

stephangee · Answer

Thats why i thought we might need to turn on auditing.

jbmartin6 · Answer

Even stranger, I am testing with a file in my c:	emp folder. The folder has not auditing set. MDE has create and rename events for it, but I didn't get any FileDeleted event for it.

stephangee · Answer

jbmartin6&nbsp;that was my experience too 🙂 so it is not just me

Forum Discussion

Hunt for "Delete specific folder"

6 Replies

Resources