Event ID 23 — FileDelete (File Delete archived)
Description
A file was deleted. Additionally the deleted file is saved in the ArchiveDirectory.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that deleted the file |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that deleted the file |
User UnicodeString → string | Name of the account who deleted the file. |
Image UnicodeString → string | File path of the process that deleted the file |
TargetFilename UnicodeString → string | Full path name of the deleted file |
Hashes UnicodeString → string | Hashes captured by the Sysmon driver of the deleted file |
IsExecutable Boolean → boolean | Whether the deleted file is a PE executable |
Archived UnicodeString → string | States if the file was archived when deleted |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 23,
"version": 5,
"level": 4,
"task": 23,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2020-10-20T11:50:55.461859Z",
"event_record_id": 769,
"correlation": {},
"execution": {
"process_id": 7212,
"thread_id": 9748
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "DESKTOP-NTSSLJD",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2020-10-20 11:50:55.457",
"ProcessGuid": "23F38D93-CF1F-5F8E-CA08-000000000C00",
"ProcessId": 8736,
"User": "DESKTOP-NTSSLJD\\den",
"Image": "C:\\Program Files\\Internet Explorer\\IEInstal.exe",
"TargetFilename": "C:\\Users\\den\\AppData\\Local\\Temp\\dfcc1807-03a1-4ae1-ab29-5675b285edea\\consent.exe.dat",
"Hashes": "SHA1=6BFB38629570909D3D9EEDFC783A948CE7849105,MD5=EE2A1C85C472F89B146CC8EE598CCCBC,SHA256=19FD0010DA92B654D1CA270247061A39EA13C0A58529FD8257A97E2EF7794911,IMPHASH=522D83761201075834F05037F5307949",
"IsExecutable": true,
"Archived": "true"
}
}
Detection Patterns #
15 rules
Sigma
Splunk
14 rules
Sigma
Show 8 more (11 total)
Sunburst And Supernova Backdoor
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Process Deletion of Its Own Executable source medium: Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.↳ also matches:Event ID 26: FileDeleteDetected (File Delete logged)
Splunk # view in reference
- Windows Mark Of The Web Bypass source: The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it is a common technique used by malware, such as Ave Maria RAT, to bypass security restrictions on files downloaded from the internet. If confirmed malicious, this behavior could allow an attacker to execute potentially harmful files without triggering security warnings, leading to further compromise of the system.
- Windows Rdp AutomaticDestinations Deletion source: This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records recently accessed files and folders tied to specific applications. Each .automaticDestinations-ms file corresponds to a program (e.g., Explorer, Word, Notepad) and can be valuable for forensic analysis of user activity. Adversaries may target this folder to erase evidence of their actions, such as which documents or directories were accessed during a session. This type of deletion is rarely seen during normal user activity and may indicate deliberate anti-forensic behavior. When correlated with suspicious logon events, RDP usage, or script execution, this activity may represent an attempt to cover tracks after data access, lateral movement, or staging for exfiltration. Detecting removal of these artifacts can highlight post-compromise cleanup efforts and help analysts reconstruct attacker behavior.↳ also matches:Event ID 26: FileDeleteDetected (File Delete logged)