Hunting for deletion events

Question

I was reading about a ransomware strain that deletes any folder called "System Volume Information" in an effort to prevent recovery, so I went to setup a hunting query or detection for that event.&nbsp; But I combed through the schema -- and a machine timeline after deleting some folders -- but I don't see a way to detect folder (or file) deletion events.&nbsp; Am I missing something?

thijs lecomte · Answer

Have you looked into the DeviceFileEvents table?
Now that not all file events are being logged. If needed, you should use Sysmon to complement MDfE.
https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/

analystguy · Answer

Thijs Lecomte&nbsp;I've looked through the schema and scoured existing events but can't find anything.&nbsp; While I respect the power of Sysmon, I'm not at an organization with the resources to realistically collect sysmon logs from every endpoint.&nbsp;&nbsp;

thijs lecomte · Answer

I understand your pain...I would recommend relying on MDfE solely then.The EDR capability should be smart enough to detect most attacks

Forum Discussion

Hunting for deletion events

3 Replies

Resources