1. Home
  2. Data Components
  3. File Creation

File Creation

A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).

ID: DC0039
Domains: ICS, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 12 November 2025

Log Sources

Name Channel
auditd:FILE File creation with name starting with '.'
auditd:FILE create: New file created in system binaries or temp directories
auditd:FILE create: Creation of .zip, .gz, .bz2 files in /tmp, /var/tmp, or /home directories
auditd:FILE create: Creation of archive files in /tmp, /var/tmp, or user home directories
auditd:FILE create: Creation of files with anomalous headers and entropy levels in /tmp or user directories
auditd:FILE Creation of hidden files (.*) in sensitive directories (/etc, /var, /usr/bin)
auditd:FILE create: Creation of files ending in .tar, .gz, .bz2, .zip in /tmp or /var/tmp
auditd:PATH Creation of files with extensions .sql, .csv, .sqlite, especially in user directories
auditd:PATH New .py/.js/.sh files written to ~/.local/, ~/.cache/, or /tmp/ within 5 min of package install
auditd:PATH mount target path within /proc/*
auditd:PATH creation of .so files in non-standard directories (e.g., /tmp, /home/*)
auditd:PATH WRITE: Drop of binaries/scripts in ~/.local, /tmp, or /opt tool dirs
auditd:SYSCALL creat
auditd:SYSCALL open or creat syscalls targeting excluded paths
auditd:SYSCALL file creation/modification
auditd:SYSCALL open,creat,rename: Writes in $HOME/Downloads, /tmp, ~/.cache with exe/script/archive/office extensions
auditd:SYSCALL write/open, FIM audit
auditd:SYSCALL open: Write to ~/.vscode-cli/code_tunnel.json
auditd:SYSCALL write
auditd:SYSCALL open, unlink, rename: File creation or deletion involving critical stored data
auditd:SYSCALL creat, open, write on /etc/systemd/system and /usr/lib/systemd/system
auditd:SYSCALL write, open, or rename to /etc/systemd/system/*.service
auditd:SYSCALL open/create/rename: name in (/home/*/Downloads/*|/tmp/*|/run/user/*|/media/*) AND ext in SuspiciousExtensions
auditd:SYSCALL File creations of *.qcow2, *.vdi, *.vmdk outside standard VM directories
auditd:SYSCALL open: File creation under /tmp, /var/tmp, ~/.cache with executable bit or shell shebang
auditd:SYSCALL open, write, unlink
auditd:SYSCALL File creation events in /var/mail or /var/spool/mail exceeding baseline thresholds
auditd:SYSCALL write or create file after .bash_history access
auditd:SYSCALL new file created in /var/www/html, /srv/http, or similar web root
auditd:SYSCALL Access or modification to /lib/modules or creation of .ko files
auditd:SYSCALL open,create
auditd:SYSCALL open,creat,rename,write
AWS:CloudTrail PutObject
CloudTrail:PutObject PutObject
esxi:vmkernel file write
esxi:vmkernel VMFS file creation
File None
fs:fileevents creat
fs:fileevents create/write/rename in user-writable paths
fs:fsevents Create in /Users/*/Downloads or /private/var/folders/* with quarantine attribute
fs:fsevents Directory events (kFSEventStreamEventFlagItemCreated)
fs:fsusage open/write/exec calls
fs:fsusage disk activity on /Library/LaunchAgents or LaunchDaemons
fs:fsusage File IO
fs:fsusage file activity
fs:fsusage file open/write
fs:fsusage create: Attachment file creation in ~/Library/Mail directories
fs:fsusage write or chmod to ~/Library/LaunchAgents/*.plist
fs:fsusage file write
fs:launchdaemons file_create
gcp:workspaceaudit drive.activity logs
linux:osquery file_events
linux:Sysmon New files in /tmp, /var/tmp, $HOME/.cache, executed within TimeWindow after browser HTTP fetch
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_CREATE: path under /Users/*/(Downloads|Desktop|Library/*/Containers|Library/Group Containers) AND extension in SuspiciousExtensions
macos:endpointsecurity es_event_open
macos:fsevents /Library/StartupItems/, ~/Library/LaunchAgents/
macos:osquery CREATE/MODIFY: Modification of app.asar inside .app bundle
macos:osquery file_events
macos:osquery CREATE/MODIFY: Creation of LaunchAgents/Daemons plists in user/system locations
macos:unifiedlog file write
macos:unifiedlog Creation or modification of browser extension .plist files
macos:unifiedlog file creation in AV exclusion directories
macos:unifiedlog file write/create
macos:unifiedlog file events
macos:unifiedlog Creation of .plist under /Library/Managed Preferences/
macos:unifiedlog creation of ~/.vscode-cli/code_tunnel.json
macos:unifiedlog create/modify dylib files in monitored directories
macos:unifiedlog New files written to /var/folders, /tmp, ~/Library/Caches, or ~/Downloads by browser context or its children
macos:unifiedlog File created in ~/Library/LaunchAgents or executable directories
macos:unifiedlog Process wrote large .mov/.mp4 in user temp/hidden dirs
macos:unifiedlog logd:file write
macos:unifiedlog File creation
macos:unifiedlog Attachment files written to ~/Downloads or temporary folders
macos:unifiedlog Writes of .sql/.csv/.xlsx files to user documents/downloads
macos:unifiedlog Creation of .zip, .gz, .dmg archives in /Users, /tmp, or application directories
macos:unifiedlog Creation of .zip, .dmg, .tar.gz files in /Users, /tmp, or application directories
macos:unifiedlog File Events
macos:unifiedlog Creation or modification of postinstall scripts within .pkg or .mpkg contents
macos:unifiedlog create: New files in /tmp or ~/Library/Application Support/* with executable or script extensions
macos:unifiedlog File creation of unsigned binaries/scripts in user cache or download directories
macos:unifiedlog Creation of files with anomalous headers and entropy values
macos:unifiedlog Creation of LaunchAgents/LaunchDaemons in hidden or non-standard directories
macos:unifiedlog Creation of .zip or .dmg files in user-accessible or temporary directories
macos:unifiedlog file create or modify in /etc/emond.d/rules or /private/var/db/emondClients
macos:unifiedlog Writes under ~/Library/Application Support/Code*/extensions or JetBrains plugins
snmp:syslog firmware write/log event
WinEventLog:Microsoft-Windows-Shell-Core New startup folder shortcut or binary placed in Startup directory
WinEventLog:Sysmon EventCode=11
WinEventLog:Sysmon File creation of suspicious scripts/binaries in temporary directories

Detection Strategy

ID Name Technique Detected
DET0186 Automated File and API Collection Detection Across Platforms T1119
DET0088 Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002) T1518.002
DET0496 Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic) T1219
DET0556 Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) T1127.001
DET0585 Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows) T1127.003
DET0151 Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery T1124
DET0197 Behavior-chain, platform-aware detection strategy for T1125 Video Capture T1125
DET0172 Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows) T1127
DET0018 Behavior-chain, platform-aware detection strategy for T1129 Shared Modules T1129
DET0537 Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run) T1195
DET0590 Behavioral Detection of External Website Defacement across Platforms T1491.002
DET0378 Behavioral Detection of Obfuscated Files or Information T1027
DET0106 Behavioral Detection of PE Injection via Remote Memory Mapping T1055.002
DET0231 Behavioral Detection of Systemd Timer Abuse for Scheduled Execution T1053.006
DET0131 Behavioral Detection Strategy for Exfiltration Over Alternative Protocol T1048
DET0221 Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS T1123
DET0274 Boot or Logon Autostart Execution Detection Strategy T1547
DET0309 Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) T1195.002
DET0085 Credential Dumping from SAM via Registry Dump and Local File Access T1003.002
DET0090 Cross-host C2 via Removable Media Relay T1092
DET0094 Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse T1053
DET0238 Defacement via File and Web Content Modification Across Platforms T1491
DET0122 Detect Abuse of Windows Time Providers for Persistence T1547.003
DET0381 Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL T1552.006
DET0385 Detect Access and Parsing of .bash_history Files for Credential Harvesting T1552.003
DET0412 Detect Access or Search for Unsecured Credentials Across Platforms T1552
DET0307 Detect Access to Unsecured Credential Files Across Platforms T1552.001
DET0275 Detect Adversary Deobfuscation or Decoding of Files and Payloads T1140
DET0526 Detect Archiving and Encryption of Collected Data (T1560) T1560
DET0438 Detect Archiving via Custom Method (T1560.003) T1560.003
DET0268 Detect Archiving via Library (T1560.002) T1560.002
DET0298 Detect Archiving via Utility (T1560.001) T1560.001
DET0336 Detect Compromise of Host Software Binaries T1554
DET0022 Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM T1187
DET0060 Detect Ingress Tool Transfers via Behavioral Chain T1105
DET0047 Detect Local Email Collection via Outlook Data File Access and Command Line Tooling T1114.001
DET0561 Detect malicious IDE extension install/usage and IDE tunneling T1176.002
DET0472 Detect Malicious Password Filter DLL Registration T1556.002
DET0257 Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files T1553.005
DET0429 Detect Modification of macOS Startup Items T1037.005
DET0580 Detect Network Provider DLL Registration and Credential Capture T1556.008
DET0398 Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks T1137
DET0050 Detect Persistence via Malicious Office Add-ins T1137.006
DET0519 Detect Persistence via Office Template Macro Injection or Registry Hijack T1137.001
DET0315 Detect Persistence via Office Test Registry DLL Injection T1137.002
DET0365 Detect Registry and Startup Folder Persistence (Windows) T1547.001
DET0452 Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation T1553
DET0549 Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms T1552.004
DET0225 Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows) T1547.008
DET0069 Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network) T1200
DET0361 Detecting .NET COM Registration Abuse via Regsvcs/Regasm T1218.009
DET0433 Detecting Code Injection via mavinject.exe (App-V Injector) T1218.013
DET0025 Detecting Electron Application Abuse for Proxy Execution T1218.015
DET0044 Detecting Malicious Browser Extensions Across Platforms T1176.001
DET0222 Detecting MMC (.msc) Proxy Execution and Malicious COM Activation T1218.014
DET0506 Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation T1218.005
DET0235 Detecting Steganographic Command and Control via File + Network Correlation T1001.002
DET0554 Detection of Bluetooth-Based Data Exfiltration T1011.001
DET0363 Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence T1003.001
DET0480 Detection of Credential Harvesting via Web Portal Modification T1056.003
DET0146 Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns T1485
DET0123 Detection of Data Exfiltration via Removable Media T1052
DET0014 Detection of Data Staging Prior to Exfiltration T1074
DET0782 Detection of Drive-by Compromise T0817
DET0077 Detection of Exfiltration Over Alternate Network Interfaces T1011
DET0305 Detection of Group Policy Modifications via AD Object Changes and File Activity T1484.001
DET0377 Detection of Kernel/User-Level Rootkit Behavior Across Platforms T1014
DET0745 Detection of Lateral Tool Transfer T0867
DET0434 Detection of Launch Agent Creation or Modification on macOS T1543.001
DET0013 Detection of Local Browser Artifact Access for Reconnaissance T1217
DET0380 Detection of Local Data Collection Prior to Exfiltration T1005
DET0261 Detection of Local Data Staging Prior to Exfiltration T1074.001
DET0138 Detection of Malicious Code Execution via InstallUtil.exe T1218.004
DET0194 Detection of Malicious Control Panel Item Execution via control.exe or Rundll32 T1218.002
DET0092 Detection of Malicious or Unauthorized Software Extensions T1176
DET0328 Detection of Malicious Profile Installation via CMSTP.exe T1218.003
DET0439 Detection of Malware Relocation via Suspicious File Movement T1070.010
DET0215 Detection of Multi-Platform File Encryption for Impact T1486
DET0132 Detection of Mutex-Based Execution Guardrails Across Platforms T1480.002
DET0586 Detection of NTDS.dit Credential Dumping from Domain Controllers T1003.003
DET0071 Detection of Remote Data Staging Prior to Exfiltration T1074.002
DET0733 Detection of Replication Through Removable Media T0847
DET0466 Detection of Script-Based Proxy Execution via Signed Microsoft Utilities T1216
DET0781 Detection of Spearphishing Attachment T0865
DET0342 Detection of Suspicious Compiled HTML File Execution via hh.exe T1218.001
DET0441 Detection of Suspicious Scheduled Task Creation and Execution on Windows T1053.005
DET0253 Detection of Systemd Service Creation or Modification on Linux T1543.002
DET0471 Detection of Tainted Content Written to Shared Storage T1080
DET0220 Detection of USB-Based Data Exfiltration T1052.001
DET0033 Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification T1546.008
DET0017 Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows) T1546.011
DET0332 Detection Strategy for AutoHotKey & AutoIT Abuse T1059.010
DET0428 Detection Strategy for Bind Mounts on Linux T1564.013
DET0237 Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts T1037.004
DET0501 Detection Strategy for Compile After Delivery - Source Code to Executable Transformation T1027.004
DET0281 Detection Strategy for Compressed Payload Creation and Execution T1027.015
DET0349 Detection Strategy for Content Injection T1659
DET0410 Detection Strategy for Data from Network Shared Drive T1039
DET0059 Detection Strategy for Data Manipulation T1565
DET0366 Detection Strategy for Double File Extension Masquerading T1036.007
DET0355 Detection Strategy for Email Bombing T1667
DET0214 Detection Strategy for Embedded Payloads T1027.009
DET0219 Detection Strategy for Escape to Host T1611
DET0555 Detection Strategy for Event Triggered Execution via emond on macOS T1546.014
DET0548 Detection Strategy for Exfiltration Over Web Service T1567
DET0150 Detection Strategy for File Creation or Modification of Boot Files T1542.003
DET0051 Detection Strategy for File/Path Exclusions T1564.012
DET0344 Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory T1027.011
DET0171 Detection Strategy for Forged Web Cookies T1606.001
DET0502 Detection Strategy for Hidden Artifacts Across Platforms T1564
DET0032 Detection Strategy for Hidden Files and Directories T1564.001
DET0321 Detection Strategy for Hidden Virtual Instance Execution T1564.006
DET0218 Detection Strategy for Hijack Execution Flow across OS platforms. T1574
DET0201 Detection Strategy for Hijack Execution Flow for DLLs T1574.001
DET0064 Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path T1574.009
DET0436 Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness. T1574.010
DET0517 Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows. T1574.014
DET0038 Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness T1574.005
DET0004 Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable. T1574.007
DET0564 Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking T1574.008
DET0479 Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER. T1574.012
DET0152 Detection Strategy for Hijack Execution Flow: Dylib Hijacking T1574.004
DET0435 Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking T1574.006
DET0313 Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop T1027.006
DET0189 Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification T1027.005
DET0322 Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns T1027.016
DET0450 Detection Strategy for Kernel Modules and Extensions Autostart Execution T1547.006
DET0183 Detection Strategy for Lateral Tool Transfer across OS platforms T1570
DET0401 Detection Strategy for Launch Daemon Creation or Modification (macOS) T1543.004
DET0101 Detection Strategy for Lua Scripting Abuse T1059.011
DET0226 Detection Strategy for Masquerading via File Type Modification T1036.008
DET0347 Detection Strategy for Masquerading via Legitimate Resource Name or Location T1036.005
DET0432 Detection Strategy for NTFS File Attribute Abuse (ADS/EAs) T1564.004
DET0553 Detection Strategy for Obfuscated Files or Information: Binary Padding T1027.001
DET0070 Detection Strategy for Phishing across platforms. T1566
DET0324 Detection Strategy for Polymorphic Code Mutation and Execution T1027.014
DET0451 Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification T1546.013
DET0544 Detection Strategy for Process Doppelgänging on Windows T1055.013
DET0391 Detection Strategy for Runtime Data Manipulation. T1565.003
DET0236 Detection Strategy for Spearphishing Attachment across OS Platforms T1566.001
DET0115 Detection Strategy for Spearphishing via a Service across OS Platforms T1566.003
DET0193 Detection Strategy for Stored Data Manipulation across OS Platforms. T1565.001
DET0019 Detection Strategy for Stripped Payloads Across Platforms T1027.008
DET0510 Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior T1027.017
DET0475 Detection Strategy for T1218.011 Rundll32 Abuse T1218.011
DET0166 Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux) T1505.002
DET0068 Detection Strategy for T1505.004 - Malicious IIS Components T1505.004
DET0212 Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows) T1505.005
DET0278 Detection Strategy for T1542 Pre-OS Boot T1542
DET0099 Detection Strategy for T1542.001 Pre-OS Boot: System Firmware T1542.001
DET0330 Detection Strategy for T1546.016 - Event Triggered Execution via Installer Packages T1546.016
DET0180 Detection Strategy for T1547.009 – Shortcut Modification (Windows) T1547.009
DET0204 Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows) T1547.010
DET0012 Detection Strategy for VBA Stomping T1564.007
DET0176 Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) T1189
DET0287 Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps) T1203
DET0118 Exploitation of Remote Services – multi-platform lateral movement detection T1210
DET0133 IDE Tunneling Detection via Process, File, and Network Behaviors T1219.001
DET0200 Indirect Command Execution – Windows utility abuse behavior chain T1202
DET0082 Internal Website and System Content Defacement via UI or Messaging Modifications T1491.001
DET0390 Linux Detection Strategy for T1547.013 - XDG Autostart Entries T1547.013
DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy T1480
DET0299 Multi-Platform File and Directory Permissions Modification Detection Strategy T1222
DET0105 Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools T1110.002
DET0370 Recursive Enumeration of Files and Directories Across Privilege Contexts T1083
DET0259 Remote Desktop Software Execution and Beaconing Detection T1219.002
DET0301 Removable Media Execution Chain Detection via File and Process Activity T1091
DET0005 Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path T1036.003
DET0009 Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) T1195.001
DET0242 Suspicious Database Access and Dump Activity Across Environments (T1213.006) T1213.006
DET0340 User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004 T1204.004
DET0294 User Execution – Malicious File via download/open → spawn chain (T1204.002) T1204.002
DET0066 User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity) T1204.001
DET0478 User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) T1204
DET0252 User-Initiated Malicious Library Installation via Package Manager (T1204.005) T1204.005
DET0394 Web Shell Detection via Server Behavior and File Execution Chains T1505.003
DET0418 Windows DACL Manipulation Behavioral Chain Detection Strategy T1222.001
DET0026 Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence T1547.012