Windows Event ID 11 — File Create

MITRE ATT&CK

Why It Matters

File creation is the moment malware materializes on disk — the instant a dropper writes a payload, a PowerShell cradle downloads a next-stage binary, or ransomware begins creating encrypted copies of files. Sysmon 11 captures this at the filesystem level, tied to the creating process, making it possible to answer 'what process dropped this file, when, and from where' without forensic imaging. The CreationUtcTime vs. a file's actual last-modified timestamp can also reveal timestomping — a key anti-forensics technique.

Key Fields

Normal vs Suspicious

Investigation Tips

1. 1.High-priority creating processes: powershell.exe, cmd.exe, wscript.exe, mshta.exe, certutil.exe, bitsadmin.exe creating any file with an executable extension (.exe, .dll, .ps1, .bat, .vbs, .hta) in AppData, Temp, ProgramData, or Downloads. These are download-and-drop patterns.
2. 2.DLL sideloading setup: any process creating a DLL file with a name matching a known Windows system DLL (kernel32.dll, ntdll.dll, combase.dll) in a path other than System32 or SysWOW64. The attacker is pre-positioning the sideloaded DLL before launching the vulnerable host application.
3. 3.Ransomware file creation pattern: a single process creating thousands of files with new extensions (.[random], .locked, .enc, .encrypted) across multiple directories in rapid succession. Correlate Sysmon 11 with process CPU usage and file system enumeration (5140 network shares, ReadDirectoryChangesW calls).
4. 4.Timestomping detection: compare the CreationUtcTime in the Sysmon 11 event (recorded at drop time) with the file's NTFS timestamps visible in forensic tools or via PowerShell (Get-Item | Select-Object CreationTime, LastWriteTime). If the on-disk timestamps predate the Sysmon 11 event, the attacker modified them to hide when the file was really dropped.
5. 5.Office application dropping executables: WINWORD.EXE, EXCEL.EXE, or OUTLOOK.EXE creating any .exe, .dll, .ps1, or .vbs file is a macro execution indicator. Legitimate Office applications almost never write executables.

How Attackers Evade This Event

• →Fileless execution — payload delivered entirely in memory via PowerShell, WMI, or registry run keys; no file is written to disk and Sysmon 11 never fires
• →Alternate Data Streams (ADS) — malicious payload hidden in a legitimate file's alternate stream (e.g. document.docx:payload.exe); some Sysmon configurations do not capture ADS writes
• →Writing to network shares — file is created on a remote system; Sysmon 11 on the local machine does not fire for remote filesystem writes (check the destination host's Sysmon logs)
• →Overwriting existing legitimate files — replacing a system binary in-place rather than creating a new file; Sysmon 11 fires on overwrite too, but overwrite events are often filtered in high-volume configs
• →Living-off-the-land downloaders — using certutil, bitsadmin, or Invoke-WebRequest appears to use legitimate tools; the created file is the malicious artifact but the creating Image looks benign
• →Timestomping to defeat timeline analysis — after dropping the file, attacker modifies NTFS $STANDARD_INFORMATION timestamps to match surrounding system files; only the Sysmon 11 CreationUtcTime preserves the true drop time

Related Event IDs

Frequently Asked Questions

Sysmon Event 11 generates enormous volume — how do I focus on what matters?

The key filter is TargetFilename extension + creating process + directory. In your Sysmon config, include Event 11 only when: (1) the created file extension is executable (.exe, .dll, .ps1, .bat, .vbs, .hta, .js, .jar, .py) — ignore document, image, and data files. (2) The TargetFilename is in a user-writable path (AppData, Temp, Downloads, ProgramData, Desktop, C:\ root) — ignore writes to Program Files and System32 by system processes. (3) The creating Image is in your high-risk watchlist (Office apps, script hosts, download tools). This combination reduces volume by 95%+ while capturing the file drops that matter for detection.

How do I use Sysmon Event 11 to detect ransomware?

Ransomware typically creates encrypted output files at very high rate — hundreds to thousands of file creation events per minute from a single process across many directories. Detection: count Sysmon 11 events per Image per minute; a threshold of 100+ file creations per minute from a non-backup process is a ransomware indicator. Also look for new file extensions that didn't exist before the attack window — ransomware appends its own extension to encrypted files. Correlate with Sysmon 3 events from the same process to find the C2 connection that preceded encryption. Early-stage ransomware detection (before encryption completes) is only possible with near-real-time monitoring of Sysmon 11 volume spikes.

What is timestomping and how does Sysmon Event 11 help detect it?

Timestomping is an anti-forensics technique where attackers modify a file's NTFS timestamp metadata (CreationTime, LastWriteTime, LastAccessTime) after dropping it, to make it appear the file existed before the intrusion. This defeats timeline analysis that relies on file system timestamps. Sysmon 11 defeats timestomping because it records CreationUtcTime at the moment of file creation — before the attacker can modify the on-disk timestamps. Compare the Sysmon 11 CreationUtcTime against the file's current NTFS CreationTime: if the on-disk timestamp predates the Sysmon event by more than a few seconds, the timestamps were modified. This is one of the few reliable timestomping detection methods available without full disk forensics.