Sysmon Event ID 15


15: FileCreateStreamHash

This is an event from Sysmon.

On this page

This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier “mark of the web” stream.

Free Security Log Resources by Randy

Description Fields in 15

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • UtcTime
  • ProcessGuid
  • ProcessId
  • Image
  • TargetFileName
  • CreationUtcTime
  • Hash

Supercharger Enterprise

Load Balancing for Windows Event Collection


Examples of 15

File stream created:

UtcTime: 2017-05-12 18:08:19.235

ProcessGuid: {a23eae89-c7f3-5915-0000-001083968417}

ProcessId: 26032

Image: C:\Program Files (x86)\WinMerge\WinMergeU.exe

TargetFilename: C:\repos\uws\Web\training\oiRegister.aspx.vb

CreationUtcTime: 2017-05-12 18:08:12.508


Hash: MD5=0825C513B61B70D0D47B110617DDD6E7,SHA256=29A25D16390F2A470D4742D41F447ED5FFCE58E93766B5A788BCAF36D94A2FCC

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources