GitHub Repo

Data Source: Sysmon for Linux EventID 11

Date: 2025-01-23

ID: 14672fed-235a-411f-8062-ace9696fb2af

Author: Patrick Bareiss, Splunk

Description

Logs the creation of a new file on a Linux system, including details about the file path, file type, and associated process.

Details

Property Value
Source Syslog:Linux-Sysmon/Operational
Sourcetype sysmon:linux
Separator EventID
Name ▲▼ Technique ▲▼ Type ▲▼
GitHub Workflow File Creation or Modification Dynamic Linker Hijacking, Compromise Host Software Binary, Supply Chain Compromise Hunting
Java Writing JSP File Exploit Public-Facing Application, External Remote Services TTP
Linux Account Manipulation Of SSH Config and Keys File Deletion, Data Destruction Anomaly
Linux Add Files In Known Crontab Directories Cron Anomaly
Linux At Allow Config File Creation Cron Anomaly
Linux Deletion Of Cron Jobs File Deletion, Data Destruction Anomaly
Linux Deletion Of Init Daemon Script File Deletion, Data Destruction TTP
Linux Deletion Of Services File Deletion, Data Destruction TTP
Linux Deletion of SSL Certificate File Deletion, Data Destruction Anomaly
Linux Doas Conf File Creation Sudo and Sudo Caching Anomaly
Linux File Created In Kernel Driver Directory Kernel Modules and Extensions Anomaly
Linux File Creation In Init Boot Directory RC Scripts Anomaly
Linux File Creation In Profile Directory Unix Shell Configuration Modification Anomaly
Linux High Frequency Of File Deletion In Boot Folder File Deletion, Data Destruction TTP
Linux High Frequency Of File Deletion In Etc Folder File Deletion, Data Destruction Anomaly
Linux Medusa Rootkit Rootkit, Credentials TTP
Linux Possible Ssh Key File Creation SSH Authorized Keys Anomaly
Linux Service File Created In Systemd Directory Systemd Timers Anomaly
Linux Sudoers Tmp File Creation Sudo and Sudo Caching Anomaly
Shai-Hulud 2 Exfiltration Artifact Files Local Data Staging, Credentials In Files, Compromise Software Supply Chain TTP
Shai-Hulud Workflow File Creation or Modification Dynamic Linker Hijacking, Compromise Host Software Binary, Supply Chain Compromise TTP

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">CreationUtcTime</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">TargetFilename</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">file_create_time</span>
  
  <span class="pill kill-chain">file_name</span>
  
  <span class="pill kill-chain">file_path</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2021-12-20T16:07:17.927963000Z"/><EventRecordID>792913</EventRecordID><Correlation/><Execution ProcessID="4372" ThreadID="4372"/><Channel>Linux-Sysmon/Operational</Channel><Computer>sysmonlinux-tcontreras-attack-range-4134</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2021-12-20 16:07:17.929</Data><Data Name="ProcessGuid">{ec2c97d1-6aa9-61c0-3038-618238560000}</Data><Data Name="ProcessId">5256</Data><Data Name="Image">/opt/splunkforwarder/bin/splunkd</Data><Data Name="TargetFilename">/opt/splunkforwarder/var/lib/splunk/modinputs/journald/sysmon.checkpoint.tmp.dbed9d351dcc1806</Data><Data Name="CreationUtcTime">2021-12-20 16:07:17.929</Data><Data Name="User">root</Data></EventData></Event>

Required Output Fields

  • action

  • dest

  • file_access_time

  • file_create_time

  • file_hash

  • file_modify_time

  • file_name

  • file_path

  • file_acl

  • file_size

  • process_guid

  • process_id

  • user

  • vendor_product

Source: GitHub | Version: 2