Sysmon Event ID 2

SourceSysmon
Discussions on Event ID 2
Ask a question about this event

2: A process changed a file creation time

This is an event from Sysmon.

On this page

The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

Free Security Log Resources by Randy

Description Fields in 2

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • UtcTime
  • ProcessGuid
  • ProcessId
  • Image
  • TargetFilename
  • CreationUtcTime
  • PreviousCreationUtcTime

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 2

File creation time changed:
UtcTime: 2017-07-30 23:26:47.321
ProcessGuid: {a23eae89-ef48-5978-0000-00104832b112}
ProcessId: 25968
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
TargetFilename: C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp
CreationUtcTime: 2016-11-25 18:21:47.692
PreviousCreationUtcTime: 2017-07-30 23:26:47.317
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <EventID>2</EventID>
    <Version>4</Version>
    <Level>4</Level>
    <Task>2</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-07-30T23:26:47.322369100Z" />
    <EventRecordID>5256170</EventRecordID>
    <Correlation />
    <Execution ProcessID="4740" ThreadID="5948" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>rfsH.lab.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="UtcTime">2017-07-30 23:26:47.321</Data>
    <Data Name="ProcessGuid">{A23EAE89-EF48-5978-0000-00104832B112}</Data>
    <Data Name="ProcessId">25968</Data>
    <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
    <Data Name="TargetFilename">C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp</Data>
    <Data Name="CreationUtcTime">2016-11-25 18:21:47.692</Data>
    <Data Name="PreviousCreationUtcTime">2017-07-30 23:26:47.317</Data>
  </EventData>
 
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources