Sysmon 13.10 — EventID 26


Sysmon 13.10 — EventID 26

The Sysinternals team has released a new version of Sysmon. This brings the version number to 13.10 and raises the schema to 4.60.

To make sure the release is actually generating all event types as expected, which in the past has not always been the case prompted me to create a pipeline that validates the functionality of the new binary and publishes its results to Sysmon works. The output of the latest build shows all events to be generated.

The new event type FileDeleteDetected gets the Event ID 26. This event is very similar to the FileDelete (23) event with one big difference: this new event will not intercept and write deleted files to the configured Archive Directory, but the generated events in the EventLog will contain nearly the same information.

Cross post from, please read the full article here: