Event 11: File Create
Quick Answer
Sysmon Event 11 logs file creation events including the creating process, file path, and creation timestamp. This event is critical for detecting malware dropped to disk, ransomware file modifications, data staging for exfiltration, and persistence mechanisms that create files.
Technical Details
Event ID: 11
Sysmon- Object Access
Event Description
Logs when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
Key Log Fields
UtcTime- UTC timestamp of file creationProcessGuid- Process GUID that created the fileProcessId- Process IDImage- Process executable pathTargetFilename- Full path of the created fileCreationUtcTime- File creation timestamp
MITRE ATT&CK® Mapping (8)
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items) This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory. An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.
Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566) lures).(Citation: T1105: Trellix_search-ms) Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
Event Comparison
Event 11 logs file creation. Event 23 (File Delete) logs deletions. Event 15 (FileStream Created) logs alternate data streams. Monitor all three for complete file system activity visibility.
What This Event Means
Sysmon Event 11 provides detailed visibility into file creation activity across the system, capturing when files are created or overwritten along with the process responsible, full file path, and timestamp. This event is invaluable for detecting various attack stages including initial malware deployment when droppers create payloads on disk, ransomware activity that creates encrypted file copies or ransom notes, staging areas where attackers collect data before exfiltration, and persistence mechanisms that create autostart files or scheduled task scripts. The creating process information allows analysts to understand the execution chain that led to file creation - for example, seeing winword.exe create an executable file in a Temp directory is a clear indicator of macro-based malware. File creation in specific directories provides strong threat indicators: executables appearing in user AppData or Temp folders suggest malware, scripts created in Startup folders indicate persistence attempts, and files created on network shares may signal lateral movement or ransomware spreading. Event 11 is particularly effective for ransomware detection when combined with volume-based analytics - a single process creating thousands of files in minutes, especially with suspicious extensions like .encrypted, .locked, or random strings, is characteristic of active ransomware encryption. The event also captures evidence of tools being staged for attacks, such as credential dumpers, privilege escalation exploits, or network scanning utilities being written to disk before execution. By monitoring file creation in system directories like System32 or Windows, security teams can detect DLL planting and other persistence mechanisms. The file path and extension analysis reveals attempts to hide malicious files through double extensions, Unicode characters, or masquerading as legitimate system files with slightly altered names.
Security Implications
- Executable files created in Temp or AppData directories by Office applications indicate macro malware
- Mass file creation (thousands of files) with encryption-related extensions signals active ransomware
- Script files (.ps1, .vbs, .bat) created in Startup folders show persistence mechanism installation
- Files created on administrative shares (C$, ADMIN$) indicate lateral movement attempts
- Archives (.zip, .rar, .7z) created in staging directories suggest data collection before exfiltration
Detection Strategies
Configure Sysmon to log file creation in high-value directories while excluding noisy legitimate locations to manage log volume. Alert on executable or script files created in user-writable directories especially Temp, Downloads, and AppData. Implement volume-based detection to identify processes creating abnormally high numbers of files, which indicates ransomware or aggressive malware. Monitor for files created in Startup folders, scheduled tasks directories, and other autostart locations that provide persistence. Flag double-extension files (e.g., invoice.pdf.exe) and files with suspicious Unicode characters designed to deceive users. Track archive file creation combined with subsequent network connections indicating data staging and exfiltration. Correlate Event 11 with process creation (Event 1) to understand what spawned the file-creating process. Create alerts for files created on network shares from user workstations, which may indicate ransomware spreading or lateral movement. Sample Sysmon configurations and SIEM correlation rules for Event 11 will be added in future updates.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
Ryuk ransomware file creation patterns visible in Event 11 show distinctive encrypted file extensions and ransom note creation across network shares
Dridex banking trojan drops secondary payloads visible in Event 11 logs showing executable creation in AppData by malicious Office macros
APT28 campaigns create archive files in staging directories (visible in Event 11) before exfiltrating stolen data through network connections