GitHub Repo

Data Source: Sysmon EventID 11

Date: 2026-05-13

ID: f3db9179-f4f5-416d-bc03-39f4d4ff699e

Author: Patrick Bareiss, Splunk

Description

Logs the creation of a new file, including details about the file path, hash information, and associated process metadata.

Details

Property Value
Source XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sourcetype XmlWinEventLog
Separator EventID
Name ▲▼ Technique ▲▼ Type ▲▼
Spike in File Writes None Anomaly
Detect RTLO In File Name Right-to-Left Override TTP
Windows Screen Capture in TEMP folder Screen Capture TTP
Spoolsv Writing a DLL - Sysmon Print Processors TTP
Common Ransomware Notes Data Destruction Hunting
Windows RDP Bitmap Cache File Creation Remote Desktop Protocol Anomaly
Windows Credentials from Web Browsers Saved in TEMP Folder Credentials from Web Browsers TTP
MS Exchange Mailbox Replication service writing Active Server Pages External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Windows Obfuscated Files or Information via RAR SFX Encrypted/Encoded File Anomaly
Windows Default RDP File Creation By Non MSTSC Process Remote Desktop Protocol Anomaly
Windows System File on Disk Exploitation for Privilege Escalation Hunting
Detect SharpHound File Modifications Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Detect Exchange Web Shell External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Windows NirSoft Tool Bundle File Created Tool Anomaly
Windows File Without Extension In Critical Folder Data Destruction TTP
Creation of lsass Dump with Taskmgr LSASS Memory TTP
Detect Outlook exe writing a zip file Spearphishing Attachment Anomaly
Windows Known Abused DLL Created DLL Anomaly
Windows Replication Through Removable Media Replication Through Removable Media TTP
Process Creating LNK file in Suspicious Location Spearphishing Link Anomaly
Drop IcedID License dat Malicious File Hunting
Windows Suspicious File in EFI Volume Inhibit System Recovery, System Firmware TTP
Windows Process Writing File to World Writable Path Mshta Hunting
Windows XLL File Creation Outside of Typical Location Command and Scripting Interpreter, Shared Modules Anomaly
Windows Office Product Dropped Cab or Inf File Spearphishing Attachment TTP
Windows .Key File Creation in Root Directory Data Encrypted for Impact Anomaly
Windows SharePoint Spinstall0 Webshell File Creation Exploit Public-Facing Application, Web Shell TTP
Suspicious WAV file in Appdata Folder Screen Capture TTP
Suspicious writes to windows Recycle Bin Masquerading TTP
LLM Model File Creation Create or Modify System Process Hunting
Shim Database File Creation Application Shimming TTP
Windows Potential AppDomainManager Hijack Artifacts Creation AppDomainManager Anomaly
Spoolsv Writing a DLL Print Processors TTP
Windows EFI Bootloader File Modification Bootkit TTP
ConnectWise ScreenConnect Path Traversal Exploit Public-Facing Application TTP
Windows Snake Malware File Modification Crmlog Obfuscated Files or Information TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Windows Defacement Modify Transcodedwallpaper File Defacement Anomaly
Windows TeamCity Plugin Installed Command and Scripting Interpreter, Exploit Public-Facing Application, Web Shell Anomaly
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Windows User Execution Malicious URL Shortcut File Malicious File Anomaly
GitHub Workflow File Creation or Modification Supply Chain Compromise, Compromise Host Software Binary, Dynamic Linker Hijacking Hunting
Executables Or Script Creation In Temp Path Masquerading Anomaly
Wermgr Process Create Executable File Obfuscated Files or Information TTP
Windows MSHTA Writing to World Writable Path Mshta TTP
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder Anomaly
Windows Admin Permission Discovery Local Groups Anomaly
Windows Universal Data Link File Creation Malicious File, Spearphishing Attachment Anomaly
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Hunting
Windows CAB File on Disk Spearphishing Attachment Anomaly
Rundll32 Process Creating Exe Dll Files Rundll32 TTP
Overwriting Accessibility Binaries Accessibility Features TTP
Detect AzureHound File Modifications Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Windows Phishing Outlook Drop Dll In FORM Dir Phishing TTP
Batch File Write to System32 Malicious File TTP
Windows Office Product Dropped Uncommon File Spearphishing Attachment Anomaly
Msmpeng Application DLL Side Loading DLL TTP
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Credentials from Web Browsers TTP
IcedID Exfiltrated Archived File Creation Archive via Utility Hunting
Windows MOVEit Transfer Writing ASPX External Remote Services, Exploit Public-Facing Application TTP
Windows Snake Malware Kernel Driver Comadmin Kernel Modules and Extensions TTP
Windows Theme File Creation in Unusual Location SMB/Windows Admin Shares, Forced Authentication, Name Resolution Poisoning and SMB Relay Anomaly
Common Ransomware Extensions Data Destruction TTP
Shai-Hulud 2 Exfiltration Artifact Files Local Data Staging, Compromise Software Supply Chain, Credentials In Files TTP
Windows Mock Trusted Directory MSC File Creation MMC, Bypass User Account Control, Hijack Execution Flow TTP
Remcos RAT File Creation in Remcos Folder Screen Capture TTP
Shai-Hulud Workflow File Creation or Modification Supply Chain Compromise, Compromise Host Software Binary, Dynamic Linker Hijacking TTP
Windows Mimikatz Crypto Export File Extensions Steal or Forge Authentication Certificates Anomaly
Samsam Test File Write Data Encrypted for Impact TTP
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Windows Archived Collected Data In TEMP Folder Archive Collected Data Anomaly
Windows PowerShell Module File Created PowerShell, Shared Modules, Hijack Execution Flow Anomaly
File with Samsam Extension None TTP
Windows Outlook Macro Created by Suspicious Process Visual Basic, Office Application Startup TTP
Windows Unusual File Creation in Confluence Directory Exploit Public-Facing Application, Upload Malware, Upload Tool Anomaly
Detect Certipy File Modifications Archive Collected Data, Steal or Forge Authentication Certificates TTP
Suspicious Image Creation In Appdata Folder Screen Capture TTP
Sqlite Module In Temp Folder Data from Local System TTP
Windows Potential Web Shell Creation For VMware Workspace ONE Web Shell Anomaly
SchCache Change By App Connect And Create ADSI Object Domain Account Anomaly
Ryuk Test Files Detected Data Encrypted for Impact TTP
Email files written outside of the Outlook directory Local Email Collection TTP

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">CreationUtcTime</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">TargetFilename</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">file_create_time</span>
  
  <span class="pill kill-chain">file_name</span>
  
  <span class="pill kill-chain">file_path</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-02-08T13:01:11.065939500Z'/><EventRecordID>7712490</EventRecordID><Correlation/><Execution ProcessID='2940' ThreadID='3376'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>Downloads</Data><Data Name='UtcTime'>2023-02-08 13:01:11.053</Data><Data Name='ProcessGuid'>{0F9A6540-A70E-63E2-3091-00000000BD02}</Data><Data Name='ProcessId'>9332</Data><Data Name='Image'>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exe</Data><Data Name='TargetFilename'>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\CURRENT_USER_My_4_atomic@art2.local.pfx</Data><Data Name='CreationUtcTime'>2023-02-08 13:01:11.053</Data></EventData></Event>

Required Output Fields

  • action

  • dest

  • file_name

  • file_path

  • process_guid

  • process_id

  • user

  • vendor_product

Source: GitHub | Version: 4