Hunt for "Delete specific folder"

Steel Contributor

Hi,

 

i have a strange behavior - one some of my servers the Firewall Log folder is gone. It happens to Win2019 server - maybe related to that i accessed the folder - to get the log file and added the admin user to the NTFS table.

But it should not happen - as it seems like a kind of "attack". So i am trying to find out when it happend and which process did this.

I tried to create a folder at my client - and then search the timeline - but nothin appears. Do i need to setup NTFS auditing so that i can hunt for it - or is it just impossible with Defender?

 

BR

Stephan

 

 

6 Replies
you said you searched the timeline, did you also check the DeviceFileEvents table?
Looking at my org's data, I also don't see every FileDeleted event there, perhaps by default it only reports on specific folders due to event volume concerns. I didn't find anything online about possible limits on data in DeviceFileEvents, though.
Thats why i thought we might need to turn on auditing.
Even stranger, I am testing with a file in my c:\temp folder. The folder has not auditing set. MDE has create and rename events for it, but I didn't get any FileDeleted event for it.

@jbmartin6 

that was my experience too 🙂 so it is not just me

In my tenant at least, only EXE files generate a DeleteFile event