Event ID 26 — FileDeleteDetected (File Delete logged)
Description
A file was deleted.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that deleted the file |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that deleted the file |
User UnicodeString → string | Name of the account who deleted the file. |
Image UnicodeString → string | File path of the process that deleted the file |
TargetFilename UnicodeString → string | Full path name of the deleted file |
Hashes UnicodeString → string | Hashes captured by the Sysmon driver of the deleted file |
IsExecutable Boolean → boolean | Whether the deleted file is a PE executable |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 26,
"version": 5,
"level": 4,
"task": 26,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:29.353937+00:00",
"event_record_id": 1441136,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:04:29.346",
"ProcessGuid": "E56ADA26-3974-6548-1E08-000000000D00",
"ProcessId": 18984,
"User": "NT AUTHORITY\\SYSTEM",
"Image": "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe",
"TargetFilename": "C:\\ProgramData\\Malwarebytes\\MBAMService\\config\\MbamClientConfig.json",
"Hashes": "SHA1=313DF92678806809A0DA4150870A71DEEEC67790,MD5=48523B42CDEEC91FF7020302F0EF58D5,SHA256=54A882E183B3882F54222737ED16BA98E06D91C30DECD478BF9C0EDBE6728BFB,IMPHASH=00000000000000000000000000000000",
"IsExecutable": false
},
"message": ""
}
Detection Patterns #
15 rules
Sigma
Splunk
14 rules
Sigma
Show 8 more (11 total)
Sunburst And Supernova Backdoor
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Process Deletion of Its Own Executable source medium: Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.↳ also matches:Event ID 23: FileDelete (File Delete archived)
Splunk # view in reference
- Windows Rdp AutomaticDestinations Deletion source: This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records recently accessed files and folders tied to specific applications. Each .automaticDestinations-ms file corresponds to a program (e.g., Explorer, Word, Notepad) and can be valuable for forensic analysis of user activity. Adversaries may target this folder to erase evidence of their actions, such as which documents or directories were accessed during a session. This type of deletion is rarely seen during normal user activity and may indicate deliberate anti-forensic behavior. When correlated with suspicious logon events, RDP usage, or script execution, this activity may represent an attempt to cover tracks after data access, lateral movement, or staging for exfiltration. Detecting removal of these artifacts can highlight post-compromise cleanup efforts and help analysts reconstruct attacker behavior.↳ also matches:Event ID 23: FileDelete (File Delete archived)