Friday, June 21, 2019

Microsoft Bug? Shift + Delete does not generate 4660 Event

By Tony Lee

If you have ever searched for anything along the lines of:  "How do I discover who deleted a file", you will probably find a dozen articles or more telling you to check for Windows Event ID 4660.

Some examples of excellent search results and resources can be found below (lmgtfy):

Then the article will most likely mention that Event ID 4660 lacks the object name (son of a biscuit!) and you will need to map the event using the handle ID to Event ID 4656 or Event ID 4663 (with an Accesses=DELETE).  No problem, we've got this.  But what do you do if 4660 is not always created? This can happen!  (Dun... dun... duuuuunn.....)

Discovery

There are obviously multiple ways to delete a file such as the following:
  • Delete key
  • Right Click > Delete
  • "del" from a command prompt
  • Shift + Delete
Every single method above generates a 4660 (and 4663) except the last one, Shift + Delete, which happens to be my personal favorite way to to delete a file.  :-(  Delete it like you mean it...

Test Methodology

The discovery was frustrating and quite accidental. While deleting files, we noticed that no 4660 (or even 4663) logs were being created when we used Shift + Delete. In utter disbelief, we set up the following to prove our sanity:
  • Enable all necessary auditing (lots of articles on this)
  • Open Event Viewer > Windows Logs > Security > Filter Current Log > 4660 in the filter box
  • Create 4 text files in which you will delete using the methods above
  • Delete one file at a time and wait for Event Viewer to notify you of a new log
  • Notice that Shift + Delete DOES NOT GENERATE A 4660!

Figure 1:  Test methodology shown above with Event Viewer, filters, notifications, and four files to delete


Conclusion

We all know that Windows logging is horrible, but this one takes the cake. It just seems scary that holding down shift while pressing delete will omit the log whose entry starts with: "An object was deleted." One possible work around is enabling the ever noisy Event ID 4656 and filtering that down--which still has its own pitfalls. Anyway, we hope this article helped debunk the myth that using Event ID 4660 for detecting file deletes is reliable (regardless of the name of the log entry).


Sample Logs

Some sample logs from our friend Randy Franklin Smith:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663#examples

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4660#examples

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4656#examples

No comments:

Post a Comment