Sysmon Event ID 2

Source

2: A process changed a file creation time

This is an event from Sysmon.

On this page

Description of this event
Field level details
Examples

The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

Free Security Log Resources by Randy

Description Fields in 2

Log Name
Source
Logged
Event ID
Task Category
Level
Keywords
User
Computer
OpCode
Description
RuleName
UtcTime
ProcessGuid
ProcessId
Image
TargetFilename
CreationUtcTime
PreviousCreationUtcTime
User

Supercharger Free Edition

Examples of 2

File creation time changed:
UtcTime: 2017-07-30 23:26:47.321
ProcessGuid: {a23eae89-ef48-5978-0000-00104832b112}
ProcessId: 25968
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
TargetFilename: C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp
CreationUtcTime: 2016-11-25 18:21:47.692
PreviousCreationUtcTime: 2017-07-30 23:26:47.317
User: LAB\Administrator

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <EventID>2</EventID>
    <Version>5</Version>
    <Level>4</Level>
    <Task>2</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-07-30T23:26:47.322369100Z" />
    <EventRecordID>5256170</EventRecordID>
    <Correlation />
    <Execution ProcessID="4740" ThreadID="5948" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>rfsH.lab.local</Computer>
    <Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="RuleName">-</Data>
    <Data Name="UtcTime">2017-07-30 23:26:47.321</Data>
    <Data Name="ProcessGuid">{A23EAE89-EF48-5978-0000-00104832B112}</Data>
    <Data Name="ProcessId">25968</Data>
    <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
    <Data Name="TargetFilename">C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp</Data>
    <Data Name="CreationUtcTime">2016-11-25 18:21:47.692</Data>
    <Data Name="PreviousCreationUtcTime">2017-07-30 23:26:47.317</Data>
<Data Name="User">LAB\Administrator</Data>
</EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 2

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

July 2024 Patch Tuesday	"Patch Tuesday - Four Zero Days " - sponsored by Supercharger for Windows Event Collection

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.