Sysmon Event ID 15
15: FileCreateStreamHash
This is an event from
Sysmon.
On this page
This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier “mark of the web” stream.
Free Security Log Resources by Randy
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetFileName
- CreationUtcTime
- Hash
Supercharger Enterprise
File stream created:
UtcTime: 2017-05-12 18:08:19.235
ProcessGuid: {a23eae89-c7f3-5915-0000-001083968417}
ProcessId: 26032
Image: C:\Program Files (x86)\WinMerge\WinMergeU.exe
TargetFilename: C:\repos\uws\Web\training\oiRegister.aspx.vb
CreationUtcTime: 2017-05-12 18:08:12.508
Hash: MD5=0825C513B61B70D0D47B110617DDD6E7,SHA256=29A25D16390F2A470D4742D41F447ED5FFCE58E93766B5A788BCAF36D94A2FCC
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection