Sysmon Event ID 15

15: FileCreateStreamHash

This is an event from Sysmon.

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier “mark of the web” stream.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 15

• Log Name
• Source
• Date
• Event ID
• Task Category
• Level
• Keywords
• User
• Computer
• Description
• UtcTime
• ProcessGuid
• ProcessId
• Image
• TargetFileName
• CreationUtcTime
• Hash

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Mini-Seminars Covering Event ID 15 Using Sysmon v6.01 to Really See What’s Happening on Endpoints; It’s Better than the Windows Security Log Using New Events in Sysmon v13 to Detect Sophisticated Attacks

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy