This artifact watches the Microsoft-Windows-Kernel-File provider for new file creation events.
We also include the process that created the file, and a process call chain.
NOTE: This artifact uses the process tracker so it works a lot better when the process tracker is enabled.
name: Windows.ETW.FileCreation
description: |
This artifact watches the Microsoft-Windows-Kernel-File provider
for new file creation events.
We also include the process that created the file, and a process
call chain.
NOTE: This artifact uses the process tracker so it works a lot
better when the process tracker is enabled.
type: CLIENT_EVENT
parameters:
- name: FilePathFilter
type: regex
default: .
description: Filter events by filename
- name: ProcessNameFilter
type: regex
default: .
- name: ProcessExecutableFilter
type: regex
default: .
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET Y = SELECT *
FROM watch_etw(
description="Microsoft-Windows-Kernel-File/Analytic",
guid="{EDD08927-9CC4-4E65-B970-C2560FB5C289}", any=4096)
WHERE EventData.FileName =~ FilePathFilter
-- Implement a delay to ensure we get the process event stream
-- from sysmon before we query for it.
LET X = SELECT timestamp(string=System.TimeStamp) AS Timestamp,
EventData.FileName AS FileName,
System.ProcessID AS ProcessID,
process_tracker_get(id=System.ProcessID).Data AS ProcessInfo
FROM delay(query=Y, delay=10)
SELECT Timestamp,
FileName,
ProcessID,
ProcessInfo.Name AS ProcessName,
ProcessInfo.Username AS Username,
ProcessInfo.Exe AS ProcessExecutable,
ProcessInfo.CreateTime AS ProcessCreation
FROM X
WHERE ProcessName =~ ProcessNameFilter
AND ProcessExecutable =~ ProcessExecutableFilter