Forum Discussion
Hunting for deletion events
I was reading about a ransomware strain that deletes any folder called "System Volume Information" in an effort to prevent recovery, so I went to setup a hunting query or detection for that event. B...
Have you looked into the DeviceFileEvents table?
Now that not all file events are being logged. If needed, you should use Sysmon to complement MDfE.
https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/
Now that not all file events are being logged. If needed, you should use Sysmon to complement MDfE.
https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/
Thijs Lecomte I've looked through the schema and scoured existing events but can't find anything. While I respect the power of Sysmon, I'm not at an organization with the resources to realistically collect sysmon logs from every endpoint.
- I understand your pain...
I would recommend relying on MDfE solely then.
The EDR capability should be smart enough to detect most attacks
