Event ID 15

A named file stream is created

Source:

Microsoft-Windows-Sysmon

Category:

File stream created (rule: FileCreateStreamHash)

File stream created:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    Image: %5!s!
    TargetFilename: %6!s!
    CreationUtcTime: %7!s!
    Hash: %8!s!
    Contents: %9!s!
    User: %10!s!

This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier "mark of the web" stream.

LEFT/RIGHT arrow keys for navigation

Back to List