Sysmon Event ID 26

SourceSysmon

26: File Delete Logged

This is an event from Sysmon.

On this page

Good attackers clean up after themselves. This event logs file deletions including which user and program and a hash of the contents of the file.  

If you want to hold on to an actual copy of the file see event ID 23.

Free Security Log Resources by Randy

Description Fields in 26

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • RuleName
  • UtcTime
  • ProcessGuid
  • ProcessId
  • User
  • Image
  • TargetFilename
  • Hashes
  • IsExecutable

Supercharger Free Edition


Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 26

Log Name:       Microsoft-Windows-Sysmon/Operational
Source:         Microsoft-Windows-Sysmon
Date:           4/15/2024  8:57:35 PM
Event ID:       26
Task Category: File Delete logged (rule: FileDeleteDetected)
Level:          Information
Keywords:      
User:           SYSTEM
Computer:       dc1.Win2022.local
Description: File Delete logged:
RuleName: -
UtcTime: 2024-04-16 03:57:35.123
ProcessGuid: {8a1a452d-2087-65de-9204-000000000500}
ProcessId: 516
User: win2022\administrator
Image: C:\Windows\Explorer.EXE
TargetFilename: C:\Users\bosshogg\AppData\Roaming\Microsoft\Windows\Recent\logs.lnk
Hashes: SHA1=BA90632BB2CE42BB40C93CD0B2A88E1FE7E0787E,MD5=9473398C90A26774335A3F8235A5ADC6,SHA256=D876955B30350ED09A90E37713A71E649667952C318B9C6879E855CC07B39430,IMPHASH=00000000000000000000000000000000
IsExecutable: false

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <EventID>26</EventID>
    <Version>5</Version>
    <Level>4</Level>
    <Task>26</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2024-02-27T17:48:55.9824794Z" />
    <EventRecordID>1057</EventRecordID>
    <Correlation />
    <Execution ProcessID="9596" ThreadID="11128" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>dc1.Win2022.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
<EventData>
  <Data Name="RuleName">-</Data>
  <Data Name="UtcTime">2024-02-27 17:48:55.967</Data>
  <Data Name="ProcessGuid">{8a1a452d-2087-65de-9204-000000000500}</Data>
  <Data Name="ProcessId">516</Data>
  <Data Name="User">win2022\administrator</Data>
  <Data Name="Image">C:\Windows\Explorer.EXE</Data>
  <Data Name="TargetFilename">C:\Users\bosshogg\AppData\Roaming\Microsoft\Windows\Recent\logs.lnk</Data>
  <Data Name="Hashes">SHA1=BA90632BB2CE42BB40C93CD0B2A88E1FE7E0787E,MD5=9473398C90A26774335A3F8235A5ADC6,SHA256=D876955B30350ED09A90E37713A71E649667952C318B9C6879E855CC07B39430,IMPHASH=00000000000000000000000000000000</Data>
  <Data Name="IsExecutable">false</Data> 
</EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources