Microsoft releases Sysmon 11 to help users in backing up deleted data

Microsoft has released Sysmon 11 that allows users to monitor for and automatically archive deleted files on a monitored device.

For your information, Sysmon is a sysinternals tool that is designed to monitor the systems for malicious activity and log those events to the Windows event log. Though this, the users can delete malicious activity occurring on their network after they are breached or to perform incident response and digital forensics so as to learn about how an attack took place.

With Sysmon 11 release, the sysmon can monitor the files deletions and can automatically archive the files when they are deleted. This tool also helps in incident responding when perform digital forensics or mitigation of security breaches.

When a network gets breached, the attackers use a variety of tools to spread laterally through the network. Once getting access, they harvest valuable data and deploy malware such as ransomware. In such case, those mentioned tools are automatically deleted by the attackers so that the incident responders and researchers cannot analyze them for weaknesses or to learn how they breached the network.

With the addition of Sysmon’s new file deletion monitoring and archiving feature, gaining access to the tools and malware executables used in an attacked will be much easier for the incident responders. These files help the researches to learn more about the tactics, techniques and procedures of the attackers in order to create better defence.

You can download the Sysmon 11 from Sysinternal’s sysmon page or from https://live.sysinternals.com/sysmon.exe. After the download, you should run it from an elevated command prompt since it requires administration privileges for proper running.

By default, the Sysmon 11 can monitor the basic information like process creation and file time modifications. But, you can configure it to log many other events. To use this feature, you need to add the new ArchiveDirectory and FileDeletion configuration options to our Sysmon configuration file. You can load the configuration file using the following command:

sysmon -i sysmon.xml

/DeletedFiles is the name of the folder in which the file deletion monitoring and the archiving of all deleted files enabled by basic configuration file can be seen. This folder also stores a copy of the deleted file.

Use onmatch=”exclude” option for the FIleDeletion option. When starting the Sysmon with this configuration, it will begin logging file deletion events to Applications and Services Logs/Microsoft/Windows/Sysmon/Operational in the event viewer.

When a file is deleted from C;/drive, it will be archived in the C:/DeletedFiles named as Sha1-hash.extension. For example, the above file was archived as C:\DeletedFiles\C24FEDB9B8A592722D5A9ADB34D276FC3B329D6F.exe.

This directory is protected with System ACL and to access it users require downloading psexec.exe program and launch a cmd prompt using this command:

psexec -sid cmd

After its download, it becomes easy to access to the deleted files.

Above example is just a sample to show what the System Monitor can do. For those who want to learn more about this tool, refer to the documentation on Sysinternails’ site.