MicrosoftDocs / sysinternals

Content for sysinternals.com
http://sysinternals.com
Creative Commons Attribution 4.0 International
474 stars 260 forks source link

Sysmon: FileSystem Audit like event #382

Open qjerome opened 3 years ago

qjerome commented 3 years ago

Dear Sysmon contributors,

I am opening a Sysmon feature request over this repository as I did not find any other place to do it but also because I saw some previous feature request were handled in this repo. I am using Sysmon since several years and I follow its great evolution very closely (as I am developing tools on top of it). However I think there is still a missing piece, more advanced File System auditing like file accessed along with the access rights requested (in short, the same degree of information we can get in Security events 4663 https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663).

I agree that more granular File System auditing can be achieved by configuring System Audit Policies. However this approach is not straightforward as it first requires configuring Group Policies, then it needs specific Auditing to be configured on a per directory basis. Another downside of this approach is that we don't benefit of all the correlation and time-lining capabilities Sysmon brings (ProcessGUID and UtcTime fields).

This feature would make Sysmon even more powerful as it could be able to detect file modifications as well as unwanted file access. We can imagine several detection rules based on those events, here are my use cases:

I hope my description was clear enough.

Thank you for your work,

foxmsft commented 3 years ago

Thank you for the suggestion! Considering this. In the meanwhile, ProcMon might help you a little with what you need. I realize it's very different from what Sysmon delivers.

qjerome commented 3 years ago

Thank you for your feedback. However, I see ProcMon more like a debugging tool while Sysmon is more for monitoring. I am indeed interested into monitoring such events. As explained, this information is available for logging, through Audit File System policies + specific file/folder configuration. Having these events in Sysmon would simplify a lot of things but also take advantage of event correlation Sysmon brings (over ProcessGUID event field).

tbennett6421 commented 2 years ago

I love the idea of implementing this as detections for honey files/directories.

qjerome commented 2 years ago

@tbennett6421 If it is not for production (because very verbose) I think you can give a try to ETW channel Microsoft-Windows-Kernel-File (guid: {edd08927-9cc4-4e65-b970-c2560fb5c289}) but expect a lot of events (hundreds per seconds). NB: it is not a ideal solution to the issue because this ETW channel is too noisy, I still believe a specific implementation in Sysmon would be better.

mschilt commented 2 years ago

I also think this could be helpful for honey/canary files.