Event ID 2

Logs when a file's creation time is retroactively modified

Source:

Microsoft-Windows-Sysmon

Category:

File creation time changed (rule: FileCreateTime)

File creation time changed:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    Image: %5!s!
    TargetFilename: %6!s!
    CreationUtcTime: %7!s!
    PreviousCreationUtcTime: %8!s!
    User: %9!s!

The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

Auditing: Always

Auditing is recommended since the volume of this event is usually low.

Volume: Low Medium

LEFT/RIGHT arrow keys for navigation

Back to List