Event ID 11

A file is created or overwritten

Source:

Microsoft-Windows-Sysmon

Category:

File created (rule: FileCreate)

File created:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    Image: %5!s!
    TargetFilename: %6!s!
    CreationUtcTime: %7!s!
    User: %8!s!

File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.

LEFT/RIGHT arrow keys for navigation

Back to List