Open qjerome opened 3 years ago
Thank you for the suggestion! Considering this. In the meanwhile, ProcMon might help you a little with what you need. I realize it's very different from what Sysmon delivers.
Thank you for your feedback. However, I see ProcMon more like a debugging tool while Sysmon is more for monitoring. I am indeed interested into monitoring such events. As explained, this information is available for logging, through Audit File System policies + specific file/folder configuration. Having these events in Sysmon would simplify a lot of things but also take advantage of event correlation Sysmon brings (over ProcessGUID event field).
I love the idea of implementing this as detections for honey files/directories.
@tbennett6421 If it is not for production (because very verbose) I think you can give a try to ETW channel Microsoft-Windows-Kernel-File (guid: {edd08927-9cc4-4e65-b970-c2560fb5c289}) but expect a lot of events (hundreds per seconds). NB: it is not a ideal solution to the issue because this ETW channel is too noisy, I still believe a specific implementation in Sysmon would be better.
I also think this could be helpful for honey/canary files.
Dear Sysmon contributors,
I am opening a Sysmon feature request over this repository as I did not find any other place to do it but also because I saw some previous feature request were handled in this repo. I am using Sysmon since several years and I follow its great evolution very closely (as I am developing tools on top of it). However I think there is still a missing piece, more advanced File System auditing like file accessed along with the access rights requested (in short, the same degree of information we can get in Security events 4663 https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663).
I agree that more granular File System auditing can be achieved by configuring System Audit Policies. However this approach is not straightforward as it first requires configuring Group Policies, then it needs specific Auditing to be configured on a per directory basis. Another downside of this approach is that we don't benefit of all the correlation and time-lining capabilities Sysmon brings (ProcessGUID and UtcTime fields).
This feature would make Sysmon even more powerful as it could be able to detect file modifications as well as unwanted file access. We can imagine several detection rules based on those events, here are my use cases:
I hope my description was clear enough.
Thank you for your work,