如何从重命名的审核日志中确定新的文件名？

Question

Windows 2008 R2文件系统审计

当我删除文件时，会出现两条事件日志审核消息：4663 (请求删除文件)和4660 (确认删除)。可以通过属性Handler将其连接起来。

当我重命名文件时，会出现两条事件日志审核消息：4663 (表示文件删除请求)和4663 (但只有文件夹路径，没有文件名)。

当我将文件从一个文件夹移到另一个文件夹时，有相同的图片与重命名(因为移动实际上是重命名，好的)

当我创建一个新文件时，不会出现任何事件。

那么，问题是: 1.我缺少什么来审核文件创建? 2.我缺少什么来审核文件重命名？

我的AuditPol.EXE出口(DACL和SACL)：

Category/Subcategory                      Setting
System
  Security System Extension               Failure
  System Integrity                        Failure  
  IPsec Driver                            Failure    
  Other System Events                     Failure  
  Security State Change                   Failure    
Logon/Logoff
  Logon                                   Success and Failure   
  Logoff                                  Success and Failure    
  Account Lockout                         Success and Failure    
  IPsec Main Mode                         Success and Failure    
  IPsec Quick Mode                        Success and Failure    
  IPsec Extended Mode                     Success and Failure    
  Special Logon                           Success and Failure    
  Other Logon/Logoff Events               Success and Failure    
  Network Policy Server                   Success and Failure    
Object Access
  File System                             Success    
  Registry                                No Auditing    
  Kernel Object                           No Auditing    
  SAM                                     No Auditing    
  Certification Services                  No Auditing    
  Application Generated                   No Auditing    
  Handle Manipulation                     No Auditing    
  File Share                              No Auditing    
  Filtering Platform Packet Drop          No Auditing    
  Filtering Platform Connection           No Auditing    
  Other Object Access Events              No Auditing    
  Detailed File Share                     No Auditing    
Privilege Use
  Sensitive Privilege Use                 Failure    
  Non Sensitive Privilege Use             Failure    
  Other Privilege Use Events              Failure    
Detailed Tracking
  Process Termination                     Failure    
  DPAPI Activity                          Failure    
  RPC Events                              Failure    
  Process Creation                        Failure    
Policy Change
  Audit Policy Change                     Failure    
  Authentication Policy Change            Failure    
  Authorization Policy Change             Failure    
  MPSSVC Rule-Level Policy Change         Failure    
  Filtering Platform Policy Change        Failure    
  Other Policy Change Events              Failure    
Account Management
  User Account Management                 Failure    
  Computer Account Management             Failure    
  Security Group Management               Failure    
  Distribution Group Management           Failure    
  Application Group Management            Failure    
  Other Account Management Events         Failure    
DS Access
  Directory Service Changes               No Auditing    
  Directory Service Replication           No Auditing    
  Detailed Directory Service Replication  No Auditing    
  Directory Service Access                Success    
Account Logon
  Kerberos Service Ticket Operations      Success and Failure    
  Other Account Logon Events              Success and Failure    
  Kerberos Authentication Service         Success and Failure    
  Credential Validation                   Success and Failure

Entry:            1    
Resource Type:    File   
User:             CONTOSO\Domain Users    
Flags:            Success    
Accesses:
    FILE_WRITE_DATA
    FILE_APPEND_DATA
    FILE_DELETE_CHILD
    DELETE    
The command was successfully executed.

`

Answer 1

这是一个复杂的答案。在收集相关链接(包括审计系统中难以可靠完成的原因)时，请尝试如下：

使用SysMon和EventID 2的支点。

相关未回答的问题。

它们都归结为CreateFile() API的行为、它可以接收的不同参数、从何处、挂钩、体系结构以及使用者在获得句柄后对句柄所做的操作。检测到对创建的文件时间的更改应该会消除所有这些。