A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).
| Name | Channel |
|---|---|
| android:logcat | App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data/ |
| android:logcat | App UID writes edited media to container paths (e.g., /data/data/ |
| android:logcat | Create/write of high-entropy files in /data/data/ |
| android:logcat | Create/write under /data/data/ |
| android:logcat | CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths |
| android:logcat | CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt) |
| android:logcat | CREATE/WRITE paths like /data/data/ |
| android:logcat | CREATE/WRITE to /data/data/ |
| android:logcat | CREATE/WRITE to /data/data/ |
| android:logcat | CREATE/WRITE /data/data/ |
| android:logcat | CREATE/WRITE /data/data/ |
| auditd:FILE | File creation with name starting with '.' |
| auditd:FILE | create: New file created in system binaries or temp directories |
| auditd:FILE | create: Creation of .zip, .gz, .bz2 files in /tmp, /var/tmp, or /home directories |
| auditd:FILE | create: Creation of archive files in /tmp, /var/tmp, or user home directories |
| auditd:FILE | create: Creation of files with anomalous headers and entropy levels in /tmp or user directories |
| auditd:FILE | Creation of hidden files (.*) in sensitive directories (/etc, /var, /usr/bin) |
| auditd:FILE | create: Creation of files ending in .tar, .gz, .bz2, .zip in /tmp or /var/tmp |
| auditd:PATH | Creation of files with extensions .sql, .csv, .sqlite, especially in user directories |
| auditd:PATH | New .py/.js/.sh files written to ~/.local/, ~/.cache/, or /tmp/ within 5 min of package install |
| auditd:PATH | mount target path within /proc/* |
| auditd:PATH | creation of .so files in non-standard directories (e.g., /tmp, /home/*) |
| auditd:PATH | WRITE: Drop of binaries/scripts in ~/.local, /tmp, or /opt tool dirs |
| auditd:SYSCALL | creat |
| auditd:SYSCALL | open or creat syscalls targeting excluded paths |
| auditd:SYSCALL | file creation/modification |
| auditd:SYSCALL | open,creat,rename: Writes in $HOME/Downloads, /tmp, ~/.cache with exe/script/archive/office extensions |
| auditd:SYSCALL | write/open, FIM audit |
| auditd:SYSCALL | open: Write to ~/.vscode-cli/code_tunnel.json |
| auditd:SYSCALL | write |
| auditd:SYSCALL | open, unlink, rename: File creation or deletion involving critical stored data |
| auditd:SYSCALL | creat, open, write on /etc/systemd/system and /usr/lib/systemd/system |
| auditd:SYSCALL | write, open, or rename to /etc/systemd/system/*.service |
| auditd:SYSCALL | open/create/rename: name in (/home/*/Downloads/*|/tmp/*|/run/user/*|/media/*) AND ext in SuspiciousExtensions |
| auditd:SYSCALL | File creations of *.qcow2, *.vdi, *.vmdk outside standard VM directories |
| auditd:SYSCALL | open: File creation under /tmp, /var/tmp, ~/.cache with executable bit or shell shebang |
| auditd:SYSCALL | open, write, unlink |
| auditd:SYSCALL | File creation events in /var/mail or /var/spool/mail exceeding baseline thresholds |
| auditd:SYSCALL | write or create file after .bash_history access |
| auditd:SYSCALL | new file created in /var/www/html, /srv/http, or similar web root |
| auditd:SYSCALL | Access or modification to /lib/modules or creation of .ko files |
| auditd:SYSCALL | open,create |
| auditd:SYSCALL | open,creat,rename,write |
| AWS:CloudTrail | PutObject |
| CloudTrail:PutObject | PutObject |
| esxi:vmkernel | file write |
| esxi:vmkernel | VMFS file creation |
| File | None |
| fs:fileevents | creat |
| fs:fileevents | create/write/rename in user-writable paths |
| fs:fsevents | Create in /Users/*/Downloads or /private/var/folders/* with quarantine attribute |
| fs:fsevents | Directory events (kFSEventStreamEventFlagItemCreated) |
| fs:fsusage | open/write/exec calls |
| fs:fsusage | disk activity on /Library/LaunchAgents or LaunchDaemons |
| fs:fsusage | File IO |
| fs:fsusage | file activity |
| fs:fsusage | file open/write |
| fs:fsusage | create: Attachment file creation in ~/Library/Mail directories |
| fs:fsusage | write or chmod to ~/Library/LaunchAgents/*.plist |
| fs:fsusage | file write |
| fs:launchdaemons | file_create |
| gcp:workspaceaudit | drive.activity logs |
| iOS:unifiedlog | NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application/ |
| iOS:unifiedlog | Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application/ |
| iOS:unifiedlog | Create/write in /var/mobile/Containers/Data/Application/ |
| iOS:unifiedlog | CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items |
| iOS:unifiedlog | CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches) |
| iOS:unifiedlog | CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container |
| iOS:unifiedlog | CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container |
| iOS:unifiedlog | CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container |
| iOS:unifiedlog | CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\.(json|plist|db) |
| iOS:unifiedlog | CREATE/WRITE of /Library/Caches/security_inventory.*\\.(json|plist|db) |
| linux:osquery | file_events |
| linux:Sysmon | New files in /tmp, /var/tmp, $HOME/.cache, executed within TimeWindow after browser HTTP fetch |
| macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_CREATE: path under /Users/*/(Downloads|Desktop|Library/*/Containers|Library/Group Containers) AND extension in SuspiciousExtensions |
| macos:endpointsecurity | es_event_open |
| macos:fsevents | /Library/StartupItems/, ~/Library/LaunchAgents/ |
| macos:osquery | CREATE/MODIFY: Modification of app.asar inside .app bundle |
| macos:osquery | file_events |
| macos:osquery | CREATE/MODIFY: Creation of LaunchAgents/Daemons plists in user/system locations |
| macos:unifiedlog | file write |
| macos:unifiedlog | Creation or modification of browser extension .plist files |
| macos:unifiedlog | file creation in AV exclusion directories |
| macos:unifiedlog | file write/create |
| macos:unifiedlog | file events |
| macos:unifiedlog | Creation of .plist under /Library/Managed Preferences/ |
| macos:unifiedlog | creation of ~/.vscode-cli/code_tunnel.json |
| macos:unifiedlog | create/modify dylib files in monitored directories |
| macos:unifiedlog | New files written to /var/folders, /tmp, ~/Library/Caches, or ~/Downloads by browser context or its children |
| macos:unifiedlog | File created in ~/Library/LaunchAgents or executable directories |
| macos:unifiedlog | Process wrote large .mov/.mp4 in user temp/hidden dirs |
| macos:unifiedlog | logd:file write |
| macos:unifiedlog | File creation |
| macos:unifiedlog | Attachment files written to ~/Downloads or temporary folders |
| macos:unifiedlog | Writes of .sql/.csv/.xlsx files to user documents/downloads |
| macos:unifiedlog | Creation of .zip, .gz, .dmg archives in /Users, /tmp, or application directories |
| macos:unifiedlog | Creation of .zip, .dmg, .tar.gz files in /Users, /tmp, or application directories |
| macos:unifiedlog | File Events |
| macos:unifiedlog | Creation or modification of postinstall scripts within .pkg or .mpkg contents |
| macos:unifiedlog | create: New files in /tmp or ~/Library/Application Support/* with executable or script extensions |
| macos:unifiedlog | File creation of unsigned binaries/scripts in user cache or download directories |
| macos:unifiedlog | Creation of files with anomalous headers and entropy values |
| macos:unifiedlog | Creation of LaunchAgents/LaunchDaemons in hidden or non-standard directories |
| macos:unifiedlog | Creation of .zip or .dmg files in user-accessible or temporary directories |
| macos:unifiedlog | file create or modify in /etc/emond.d/rules or /private/var/db/emondClients |
| macos:unifiedlog | Writes under ~/Library/Application Support/Code*/extensions or JetBrains plugins |
| MobileEDR:telemetry | Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content |
| MobileEDR:telemetry | File writes from removable-media or USB-associated paths into download, package staging, temp, or application-accessible storage shortly after USB connection |
| MobileEDR:telemetry | large file write originating from /mnt/usb or external mounted storage |
| MobileEDR:telemetry | Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer |
| MobileEDR:telemetry | App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow |
| MobileEDR:telemetry | Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class |
| MobileEDR:telemetry | Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity |
| MobileEDR:telemetry | App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission |
| MobileEDR:telemetry | App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission |
| MobileEDR:telemetry | App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission |
| MobileEDR:telemetry | Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity |
| MobileEDR:telemetry | Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity |
| MobileEDR:telemetry | Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication |
| MobileEDR:telemetry | Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase |
| MobileEDR:telemetry | Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer |
| MobileEDR:telemetry | Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect |
| MobileEDR:telemetry | APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement |
| MobileEDR:telemetry | application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state |
| snmp:syslog | firmware write/log event |
| WinEventLog:Microsoft-Windows-Shell-Core | New startup folder shortcut or binary placed in Startup directory |
| WinEventLog:Sysmon | EventCode=11 |
| WinEventLog:Sysmon | File creation of suspicious scripts/binaries in temporary directories |