How to Monitor Potentially Harmful Files Created on File Server Shares
This article explains how to configure EventSentry to generate an alert whenever a file with a high-risk extension (.exe, .msi, .ps1, .cmd, .com, .reg) is written to a monitored share.
Prerequisites:
Before configuring EventSentry, ensure your Windows environment is prepared to track file operations:
- Advanced Audit Policy: "Audit File System" (Object Access) must be enabled for "Success"(preferably through Group Policy).
- Auditing must be enabled on the specific folders/drives you wish to protect. Ensure the audit entry is applied to "This folder, subfolders, and files".
- EventSentry should be installed on the server that needs to be monitored. Windows File System auditing records the local path of the affected object. You cannot monitor UNC paths remotely.
Understanding the Event:
Once configured, Windows will log Event ID 4663 to the Security log whenever a write to a monitored path succeeds. You can verify this by creating a test file in the share and confirming that a 4663 event appears in the server's Security log. Event ID 4663 ("An attempt was made to access an object") is recorded for every successful file operation against an audited path. The insertion strings relevant to this use case are:
Object Type (%6): Should be 'File' to ensure the alert only targets files rather than other object types.
Object Name (%7): Use this to match specific file extensions (e.g., *.exe).
Accesses (%9): Use 'WriteData' to catch new file creations or modifications.
Step 1: Create an Include Filter for Event 4663
- In the EventSentry Management Console, navigate to Packages.
- Create a new package (e.g., "Harmful File Extension Detection") or select an existing one.
- Assign the package to the target host(s) or make it Global.
- Right-click the package and select Add Filter.
- Name the filter (e.g., "Harmful Extension Written – ID 4663").
Step 2: Filter Configuration
- Actions: Default Email (or your email action)
- Log: Security
- Severity: Audit Success
- Source: Microsoft-Windows-Security-Auditing
- Event ID: 4663
- Content Filter: (Insertion String 9 - Accesses):
WriteData* - Content Filter: (Insertion String 6 - ObjectType): File
Use Logical operator AND (requires all conditions to be met).
Note: Since ‘WriteData’ is a substring of ‘WriteData' (or AddFile), the wildcard WriteData* will match correctly either way. More importantly, using WriteData* will match any substring.
Step 3: Share path scope
Add the path for the share you want to monitor, using the local path on the server (not the UNC path):
Content Filter: (Insertion String 7 - ObjectName): C:\Test\*
Note: The wildcard will match all the files in C:\Test\ and subfolders.
Step 4: Adding File Extensions to the filter
Use 'At least one token found in text' in the Insertion String dropdown. Add the extensions that you would like to match:
*.exe|*.msi|*.reg|*.com|*.cmd|*.ps1
This reads as: Match Insertion String 7 (ObjectName) if it ends with .exe, OR .msi, OR .reg, OR .com, OR .cmd, OR .ps1
Your filter should look like this:
Step 5: Save Configuration
Ensure you save your changes: In the ribbon, go to Home -> Save.
Step 6: Monitor and Fine-Tune
Once this filter is in place, monitor the alerts and adjust the settings to meet your specific requirements. Remember that you will be notified via email (Default Email Action) whenever the filter condition is met.
You can use the following JSON script for quick creation (copy the script and use the 'Apply Json Rule' button in the ribbon). Remember to adjust the settings to your environment:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
{
"type": 0,
"active": 1,
"name": "Harmful Extension Written - ID 4663",
"uuid": "6ee394c4-f25d-498e-a843-544b223c39c1",
"version": 8,
"order": 0,
"builtin": 0,
"isfolder": 0,
"applyToCollectorSideThresholds": 0,
"requireAck": 0,
"stopProcessing": 0,
"anomalyFiltering": 0,
"threatWeight": 0,
"logs": [ "SEC" ],"severities": [ "AUDITSUCCESS" ],"source": "Microsoft-Windows-Security-Auditing",
"eventid": "4663",
"contentFilterType": 0,
"chainType": 1,
"textfilters": [ { "insertionString": 8,
"comparisonType": 0,
"text": "WriteData*",
"type": 1
},{ "insertionString": 5,
"comparisonType": 0,
"text": "File",
"type": 1
},{ "insertionString": 6,
"comparisonType": 0,
"text": "C:\\YOURSHAREDRIVE\\*",
"type": 1
},{ "insertionString": 6,
"comparisonType": 19,
"text": "*.exe|*.msi|*.reg|*.com|*.cmd|*.ps1",
"type": 1
}],"threshold": {
"type": 0,
"guid": "61f3a573-f888-4101-b4cf-62ae2f201c1f",
"limit": 10,
"interval": 10,
"intervalScale": 1,
"processBefore": 0,
"processAfter": 1,
"processAfterFirstOnly": 1,
"logImmediate": 1,
"logInterval": 0,
"logSeverity": 2,
"matchType": 1
},"timer": {
"enable": 0,
"interval": 0,
"intervalScale": 0
},"bootBehavior": 0
}
|
Related Documentation
Defeating Ransomware with Eventsentry Auditing
Folder Auditing and CryptoLocker
How to Monitor Mass File Deletions with EventSentry
Windows Event ID 4663
