Sysmon Event ID 23

SourceSysmon

23: FileDelete

This is an event from Sysmon.

On this page

Good attackers clean up after themselves.  This event creates an opportunity to hold on to malware files or data staged for exfiltration even when they delete it.  It is of course important to specify selection critera with he TargetFileName element of the sysmon configuration rule for this event so that you don't hold on to every file deleted across the entire system and fill up storage.  With file deletions caught by this event, Sysmon not only logs the deletion but moves the file to a specified archive directory (c:\sysmon by default).  If you only want to know about the deletion of the file but not keep an actual copy see Event ID 26.

Free Security Log Resources by Randy

Description Fields in 23

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • RuleName
  • UtcTime
  • ProcessGuid
  • ProcessId
  • User
  • Image
  • TargetFilename
  • Hashes
  • IsExecutable
  • Archived

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 23

Log Name:       Microsoft-Windows-Sysmon/Operational
Source:         Microsoft-Windows-Sysmon
Date:           4/15/2021 1:07:01 PM
Event ID:       23
Task Category: File Delete (rule: FileDelete)
Level:          Information
Keywords:      
User:           SYSTEM
Computer:       w19-ex-111.Win2019.local
Description: File Delete:
RuleName: -
UtcTime: 2021-04-15 20:06:32.807
ProcessGuid: {ff9115ad-7ba0-6078-bf00-000000002c00}
ProcessId: 6468
User: NT AUTHORITY\SYSTEM
Image: C:\Program Files\Microsoft Exchange\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe
TargetFileName: C:\Program Files\Microsoft\Exchange Server\V15\Logging\Diagnostics\PerformanceLogsToBeProcessed\ExchangeDiagnosticsPerformanceLog_04151301.blg
Hashes: SHA1=9EB203E8CD0DA806D91D6C2EB9669C28E29D5330,MD5=234A0C813539AB6B2CCAE02EAD314381,SHA256=48ED6A8C89DB330140D82BA0FE8F1D901645A0E18262172E6CDACE57C18B9720,IMPHASH=00000000000000000000000000000000
IsExecutable: false
Archived: true

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <EventID>23</EventID>
    <Version>5</Version>
    <Level>4</Level>
    <Task>23</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2021-04-15T20:06:32.807639900Z" />
    <EventRecordID>8951</EventRecordID>
    <Correlation />
    <Execution ProcessID="3500" ThreadID="5140" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>w19-ex-111.Win2019.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="RuleName">-</Data>
    <Data Name="UtcTime">2021-04-15 20:06:32.807</Data>
    <Data Name="ProcessGuid">{ff9115ad-7aff-6078-4000-000000002c00}</Data>
    <Data Name="ProcessId">6468</Data>
    <Data Name="User"> NT AUTHORITY\SYSTEM</Data>
    <Data Name="Image">C:\Program Files\Microsoft Exchange\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</Data>
    <Data Name="TargetFilename">C:\Program Files\Microsoft\Exchange Server\V15\Logging\Diagnostics\PerformanceLogsToBeProcessed\ExchangeDiagnosticsPerformanceLog_04151301.blg</Data
    <Data Name="Hashes">SHA1=9EB203E8CD0DA806D91D6C2EB9669C28E29D5330,MD5=234A0C813539AB6B2CCAE02EAD314381,SHA256=48ED6A8C89DB330140D82BA0FE8F1D901645A0E18262172E6CDACE57C18B9720,IMPHASH=00000000000000000000000000000000      <Data Name="IsExecutable">false</Data>
    <Data Name="Archived">true</Data>
</Data>   </EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources