Yusuf Ozturk
Yusuf Ozturk
Hi @rabbitstack This is the an event from fibratus: ``` Seq: 58565 Pid: 7288 Tid: 8368 Type: CreateFile CPU: 14 Name: CreateFile Category: file Description: Creates or opens a file...
First creation of file. Fibratus: ``` Seq: 54987 Pid: 7288 Tid: 10684 Type: CreateFile CPU: 10 Name: CreateFile Category: file Description: Creates or opens a file or I/O device Host:...
Second file creation event from Fibratus: ``` Seq: 54988 Pid: 7288 Tid: 10684 Type: CreateFile CPU: 10 Name: CreateFile Category: file Description: Creates or opens a file or I/O device...
``` 726723 2021-11-27 00:55:33.8795145 +0100 CET - 2 notepad.exe (568) - EnumDirectory (class➜ Both Directory, file_name➜ New Text Document.txt, file_object➜ ffffb90db48892b0, irp➜ ffffb90d9e579138) 726724 2021-11-27 00:55:34.2867272 +0100 CET - 2...
Hi @rabbitstack Sorry I was working on this very late yesterday and I kinda wanted to put my finding here as a documentation for the future. Yes, I realized that...
Again, for documentation purposes, here are the access types: 
@rabbitstack I did another to test to change ACL of the file. Here are the event logs: So we get 4663 here to learn "WRITE_DAC" means "ACL modification": ``` An...
I checked it with other kernel event types but I don't see ACL details.
Thanks @rabbitstack If you find a way to do it or if there is a Microsoft documentation for it, I can also look into that. It's possible for me to...
Thanks @rabbitstack Looking forward to hear about it 👍