GitHub Repo

Data Source: Sysmon EventID 11

Date: 2025-07-10

ID: f3db9179-f4f5-416d-bc03-39f4d4ff699e

Author: Patrick Bareiss, Splunk

Description

Logs the creation of a new file, including details about the file path, hash information, and associated process metadata.

Details

Property Value
Source XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sourcetype XmlWinEventLog
Separator EventID
Name ▲▼ Technique ▲▼ Type ▲▼
Email files written outside of the Outlook directory Local Email Collection TTP
Batch File Write to System32 Malicious File TTP
Common Ransomware Extensions Data Destruction TTP
Common Ransomware Notes Data Destruction Hunting
ConnectWise ScreenConnect Path Traversal Exploit Public-Facing Application TTP
Creation of lsass Dump with Taskmgr LSASS Memory TTP
Detect AzureHound File Modifications Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Detect Certipy File Modifications Steal or Forge Authentication Certificates, Archive Collected Data TTP
Detect Exchange Web Shell External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Detect Outlook exe writing a zip file Spearphishing Attachment Anomaly
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Detect RTLO In File Name Right-to-Left Override TTP
Detect SharpHound File Modifications Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Drop IcedID License dat Malicious File Hunting
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
File with Samsam Extension None TTP
GitHub Workflow File Creation or Modification Dynamic Linker Hijacking, Compromise Host Software Binary, Supply Chain Compromise Hunting
IcedID Exfiltrated Archived File Creation Archive via Utility Hunting
LLM Model File Creation Create or Modify System Process Hunting
MS Exchange Mailbox Replication service writing Active Server Pages External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Msmpeng Application DLL Side Loading DLL TTP
Overwriting Accessibility Binaries Accessibility Features TTP
Process Creating LNK file in Suspicious Location Spearphishing Link Anomaly
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Hunting
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Remcos RAT File Creation in Remcos Folder Screen Capture TTP
Rundll32 Process Creating Exe Dll Files Rundll32 TTP
Ryuk Test Files Detected Data Encrypted for Impact TTP
Samsam Test File Write Data Encrypted for Impact TTP
SchCache Change By App Connect And Create ADSI Object Domain Account Anomaly
Shai-Hulud 2 Exfiltration Artifact Files Local Data Staging, Credentials In Files, Compromise Software Supply Chain TTP
Shai-Hulud Workflow File Creation or Modification Dynamic Linker Hijacking, Compromise Host Software Binary, Supply Chain Compromise TTP
Shim Database File Creation Application Shimming TTP
Spike in File Writes None Anomaly
Spoolsv Writing a DLL Print Processors TTP
Spoolsv Writing a DLL - Sysmon Print Processors TTP
Sqlite Module In Temp Folder Data from Local System TTP
Suspicious Image Creation In Appdata Folder Screen Capture TTP
Suspicious WAV file in Appdata Folder Screen Capture TTP
Suspicious writes to windows Recycle Bin Masquerading TTP
Wermgr Process Create Executable File Obfuscated Files or Information TTP
Windows Admin Permission Discovery Local Groups Anomaly
Windows Archived Collected Data In TEMP Folder Archive Collected Data Anomaly
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder Anomaly
Windows CAB File on Disk Spearphishing Attachment Anomaly
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Credentials from Web Browsers TTP
Windows Credentials from Web Browsers Saved in TEMP Folder Credentials from Web Browsers TTP
Windows Defacement Modify Transcodedwallpaper File Defacement Anomaly
Windows Default RDP File Creation By Non MSTSC Process Remote Desktop Protocol Anomaly
Windows File Without Extension In Critical Folder Data Destruction TTP
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Windows Known Abused DLL Created DLL Anomaly
Windows Mimikatz Crypto Export File Extensions Steal or Forge Authentication Certificates Anomaly
Windows MOVEit Transfer Writing ASPX Exploit Public-Facing Application, External Remote Services TTP
Windows MSHTA Writing to World Writable Path Mshta TTP
Windows NirSoft Tool Bundle File Created Tool Anomaly
Windows Obfuscated Files or Information via RAR SFX Encrypted/Encoded File Anomaly
Windows Office Product Dropped Cab or Inf File Spearphishing Attachment TTP
Windows Office Product Dropped Uncommon File Spearphishing Attachment Anomaly
Windows Outlook Macro Created by Suspicious Process Office Application Startup, Visual Basic TTP
Windows Phishing Outlook Drop Dll In FORM Dir Phishing TTP
Windows Potential AppDomainManager Hijack Artifacts Creation AppDomainManager Anomaly
Windows Process Writing File to World Writable Path Mshta Hunting
Windows RDP Bitmap Cache File Creation Remote Desktop Protocol Anomaly
Windows Replication Through Removable Media Replication Through Removable Media TTP
Windows Screen Capture in TEMP folder Screen Capture TTP
Windows SharePoint Spinstall0 Webshell File Creation Exploit Public-Facing Application, Web Shell TTP
Windows Snake Malware File Modification Crmlog Obfuscated Files or Information TTP
Windows Snake Malware Kernel Driver Comadmin Kernel Modules and Extensions TTP
Windows System File on Disk Exploitation for Privilege Escalation Hunting
Windows User Execution Malicious URL Shortcut File Malicious File Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">CreationUtcTime</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">TargetFilename</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">file_create_time</span>
  
  <span class="pill kill-chain">file_name</span>
  
  <span class="pill kill-chain">file_path</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-02-08T13:01:11.065939500Z'/><EventRecordID>7712490</EventRecordID><Correlation/><Execution ProcessID='2940' ThreadID='3376'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>Downloads</Data><Data Name='UtcTime'>2023-02-08 13:01:11.053</Data><Data Name='ProcessGuid'>{0F9A6540-A70E-63E2-3091-00000000BD02}</Data><Data Name='ProcessId'>9332</Data><Data Name='Image'>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exe</Data><Data Name='TargetFilename'>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\CURRENT_USER_My_4_atomic@art2.local.pfx</Data><Data Name='CreationUtcTime'>2023-02-08 13:01:11.053</Data></EventData></Event>

Required Output Fields

  • action

  • dest

  • file_name

  • file_path

  • process_guid

  • process_id

  • user

  • vendor_product

Source: GitHub | Version: 3