Sysmon Event ID 26

Source

26: File Delete Logged

This is an event from Sysmon.

On this page

Description of this event
Field level details
Examples

Good attackers clean up after themselves. This event logs file deletions including which user and program and a hash of the contents of the file.

If you want to hold on to an actual copy of the file see event ID 23.

Free Security Log Resources by Randy

Description Fields in 26

Log Name
Source
Date
Event ID
Task Category
Level
Keywords
User
Computer
Description
RuleName
UtcTime
ProcessGuid
ProcessId
User
Image
TargetFilename
Hashes
IsExecutable

Supercharger Enterprise

Log Name:       Microsoft-Windows-Sysmon/Operational
Source:         Microsoft-Windows-Sysmon
Date:           4/15/2024 8:57:35 PM
Event ID:       26
Task Category: File Delete logged (rule: FileDeleteDetected)
Level:          Information
Keywords:
User:           SYSTEM
Computer: dc1.Win2022.local
Description: File Delete logged:
RuleName: -
UtcTime: 2024-04-16 03:57:35.123
ProcessGuid: {8a1a452d-2087-65de-9204-000000000500}
ProcessId: 516
User: win2022\administrator
Image: C:\Windows\Explorer.EXE
TargetFilename: C:\Users\bosshogg\AppData\Roaming\Microsoft\Windows\Recent\logs.lnk
Hashes: SHA1=BA90632BB2CE42BB40C93CD0B2A88E1FE7E0787E,MD5=9473398C90A26774335A3F8235A5ADC6,SHA256=D876955B30350ED09A90E37713A71E649667952C318B9C6879E855CC07B39430,IMPHASH=00000000000000000000000000000000
IsExecutable: false

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
  <EventID>26</EventID>
  <Version>5</Version>
    <Level>4</Level>
    <Task>26</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2024-02-27T17:48:55.9824794Z" />
    <EventRecordID>1057</EventRecordID>
    <Correlation />
    <Execution ProcessID="9596" ThreadID="11128" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>dc1.Win2022.local</Computer>
    <Security UserID="S-1-5-18" />
</System>
<EventData>
  <Data Name="RuleName">-</Data>
<Data Name="UtcTime">2024-02-27 17:48:55.967</Data>
<Data Name="ProcessGuid">{8a1a452d-2087-65de-9204-000000000500}</Data>
<Data Name="ProcessId">516</Data>
<Data Name="User">win2022\administrator</Data>
<Data Name="Image">C:\Windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\Users\bosshogg\AppData\Roaming\Microsoft\Windows\Recent\logs.lnk</Data>
  <Data Name="Hashes">SHA1=BA90632BB2CE42BB40C93CD0B2A88E1FE7E0787E,MD5=9473398C90A26774335A3F8235A5ADC6,SHA256=D876955B30350ED09A90E37713A71E649667952C318B9C6879E855CC07B39430,IMPHASH=00000000000000000000000000000000</Data>
<Data Name="IsExecutable">false</Data>
</EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 26

Using Sysmon v6.01 to Really See What’s Happening on Endpoints; It’s Better than the Windows Security Log

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

July 2024 Patch Tuesday	"Patch Tuesday - Four Zero Days " - sponsored by Supercharger for Windows Event Collection

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.