Event ID 15 — FileCreateStreamHash
Description
This event logs when a named file stream is created.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that created the named file stream |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that created the named file stream |
Image UnicodeString → string | File path of the process that created the named file stream |
TargetFilename UnicodeString → string | Name of the file |
CreationUtcTime UnicodeString → string | File download time |
Hash UnicodeString → string | Hash of the file contents using the algorithms specified in the HashType field |
Contents UnicodeString → string | Content of the named file stream (e.g., Zone.Identifier) |
User UnicodeString → string | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 15,
"version": 2,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:51:44.967041+00:00",
"event_record_id": 1389495,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 01:51:44.960",
"ProcessGuid": "E56ADA26-46AE-6548-E90A-000000000D00",
"ProcessId": 21364,
"Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"TargetFilename": "C:\\Users\\User\\Downloads\\b91cbd9e6f39cecc89fce0e6aaed8cd9ace56a7c.pdf:Zone.Identifier",
"CreationUtcTime": "2023-11-06 01:51:40.569",
"Hash": "SHA1=ACEF7488AD1488562925D97A333EE75A91F583A9,MD5=C9D406793D9E74FE319B9E6204D278B4,SHA256=D40F403A0C6E5448F3E5C4B339FE583C50A8BCF7FF2DA26E6A2F01DF62CD965C,IMPHASH=00000000000000000000000000000000",
"Contents": "[ZoneTransfer] ZoneId=3 ReferrerUrl=https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/b91cbd9e6f39cecc89fce0e6aaed8cd9ace56a7c.pdf HostUrl=https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/b91cbd9e6f39cecc89fce0e6aaed8cd9ace56a7c.pdf ",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
Community Notes #
May contain Mark of the Web, referrer, and host URL data.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Hidden Executable In NTFS Alternate Data Stream source medium: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
- Creation Of a Suspicious ADS File Outside a Browser Download source medium: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
- Suspicious File Download From File Sharing Websites - File Stream source high: Detects the download of suspicious file type from a well-known file and paste sharing domain
Show 6 more (9 total)
- Unusual File Download From File Sharing Websites - File Stream source medium: Detects the download of suspicious file type from a well-known file and paste sharing domain
- HackTool Named File Stream Created source high: Detects the creation of a named file stream with the imphash of a well-known hack tool
- Exports Registry Key To an Alternate Data Stream source high: Exports the target Registry key and hides it in the specified alternate data stream.
- Unusual File Download from Direct IP Address source high: Detects the download of suspicious file type from URLs with IP
- Potential Suspicious Winget Package Installation source high: Detects potential suspicious winget package installation from a suspicious source.
- Potentially Suspicious File Download From ZIP TLD source high: Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
Splunk # view in reference
- Download Files Using Telegram source: The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.
- Windows Alternate DataStream - Base64 Content source: The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which captures file creation events, including the content of named streams. ADS can conceal malicious payloads, making them significant for SOC monitoring. This detection identifies hidden streams that may contain executables, scripts, or configuration data, often used by malware to evade detection. If confirmed malicious, this activity could allow attackers to hide and execute payloads, persist in the environment, or access sensitive information without being easily detected.
- Windows Alternate DataStream - Executable Content source: The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This activity is significant as it may indicate a threat actor staging malicious code in hidden areas for persistence or future execution. If confirmed malicious, this could allow attackers to execute hidden code, maintain persistence, or escalate privileges within the environment.