Event ID 2 — A process changed a file creation time
Description
The change file creation time event is registered when a file creation time is explicitly modified by a process.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that changed the file creation time |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process changing the file creation time |
Image UnicodeString → string | File path of the process that changed the file creation time |
TargetFilename UnicodeString → string | Full path name of the file |
CreationUtcTime UnicodeString → string | New creation time of the file |
PreviousCreationUtcTime UnicodeString → string | Previous creation time of the file |
User UnicodeString → string | Name of the account who changed the file creation time of a file |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 2,
"version": 5,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:02:42.701590+00:00",
"event_record_id": 1434553,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:02:42.686",
"ProcessGuid": "E56ADA26-1A27-6548-3001-000000000D00",
"ProcessId": 876,
"Image": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\119.0.2151.44\\msedgewebview2.exe",
"TargetFilename": "C:\\Users\\User\\AppData\\Local\\Packages\\MicrosoftWindows.Client.WebExperience_cw5n1h2txyewy\\LocalState\\EBWebView\\297786f0-3fab-4719-b257-7269fed79fdf.tmp",
"CreationUtcTime": "2023-11-05 22:37:47.033",
"PreviousCreationUtcTime": "2023-11-06 02:02:42.686",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Unusual File Modification by dns.exe source high: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Elastic # view in reference
- Potential Timestomp in Executable Files source medium: Identifies the modification of a file creation time for executable files in sensitive system directories. Adversaries may modify file time attributes to blend malicious executables with legitimate system files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.