Sysmon Event ID 15

SourceSysmon
Discussions on Event ID 15
Ask a question about this event

15: FileCreateStreamHash

This is an event from Sysmon.

On this page

This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier “mark of the web” stream.

Free Security Log Resources by Randy

Description Fields in 15

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • UtcTime
  • ProcessGuid
  • ProcessId
  • Image
  • TargetFileName
  • CreationUtcTime
  • Hash

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

Examples of 15

File stream created:

UtcTime: 2017-05-12 18:08:19.235

ProcessGuid: {a23eae89-c7f3-5915-0000-001083968417}

ProcessId: 26032

Image: C:\Program Files (x86)\WinMerge\WinMergeU.exe

TargetFilename: C:\repos\uws\Web\training\oiRegister.aspx.vb

CreationUtcTime: 2017-05-12 18:08:12.508

 

Hash: MD5=0825C513B61B70D0D47B110617DDD6E7,SHA256=29A25D16390F2A470D4742D41F447ED5FFCE58E93766B5A788BCAF36D94A2FCC

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources