[Windows 2008 R2 File System audit]
When I delete the file, two event log audit messages appear: 4663 which means request for file deletion and 4660 which confirms the deletion. Thay can be joined by attribute Handler.
When I rename the file, two event log audit messages appear: 4663 which means request for file deletion and 4663 for creating new file (but there is only folder path, no filename)
When I move the file from one folder to another, there is the same picture as renaming (because moving is actually renaming, OK)
When I create a new file, no events appear.
So, questions: 1. What am I missing to audit file creation? 2. What am I missing to audit file renaming?
My AuditPol.EXE exports (DACL and SACL):
Category/Subcategory Setting
System
Security System Extension Failure
System Integrity Failure
IPsec Driver Failure
Other System Events Failure
Security State Change Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Object Access
File System Success
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use Failure
Non Sensitive Privilege Use Failure
Other Privilege Use Events Failure
Detailed Tracking
Process Termination Failure
DPAPI Activity Failure
RPC Events Failure
Process Creation Failure
Policy Change
Audit Policy Change Failure
Authentication Policy Change Failure
Authorization Policy Change Failure
MPSSVC Rule-Level Policy Change Failure
Filtering Platform Policy Change Failure
Other Policy Change Events Failure
Account Management
User Account Management Failure
Computer Account Management Failure
Security Group Management Failure
Distribution Group Management Failure
Application Group Management Failure
Other Account Management Events Failure
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Success
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
Entry: 1
Resource Type: File
User: CONTOSO\Domain Users
Flags: Success
Accesses:
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_DELETE_CHILD
DELETE
The command was successfully executed.
`
This is a complex answer. While I collect the relevant links (which consist of the reasons¹ this is hard to reliably accomplish within the auditing system) try this:
Use SysMon and pivot off of EventID 2.
Related unanswered question.
¹ They all boil down to behavior of the CreateFile() API, different parameters it can receive, from where, hooking, architecture and what the consumer does with the handle after they get it. Detecting changes to the created file time should get rid of all of that.