Sysmon Event ID 11

SourceSysmon
Discussions on Event ID 11
Ask a question about this event

11: FileCreate

This is an event from Sysmon.

On this page

File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.

Free Security Log Resources by Randy

Description Fields in 11

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • UtcTime
  • ProcessGuid
  • ProcessId
  • Image
  • TargetFilename
  • CreationUtcTime

Supercharger Free Edition


Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 11

File created:
UtcTime: 2017-05-13 19:44:55.313
ProcessGuid: {a23eae89-6237-5917-0000-0010300e6601}
ProcessId: 19200
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4b00-0\AxImp.exe CreationUtcTime: 2017-05-13 19:44:55.313

 

Event XML:
 
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

    <System>
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <EventID>11</EventID>
        <Version>2</Version>
        <Level>4</Level>
        <Task>11</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-05-13T19:44:55.314125100Z" />
        <EventRecordID>734181</EventRecordID>
        <Correlation />
        <Execution ProcessID="2848" ThreadID="3520" />
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>rfsH.lab.local</Computer>
        <Security UserID="S-1-5-18" />
    </System>
    <EventData>
        <Data Name="UtcTime">2017-05-13 19:44:55.313</Data>
        <Data Name="ProcessGuid">{A23EAE89-6237-5917-0000-0010300E6601}</Data>
        <Data Name="ProcessId">19200</Data>
        <Data Name="Image">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Data>
        <Data Name="TargetFilename">C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4b00-0\AxImp.exe</Data>
        <Data Name="CreationUtcTime">2017-05-13 19:44:55.313</Data>
    </EventData>
</Event>

 

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources