File Creation

A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).

This data component can be collected through the following measures:

Windows

Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time.
Windows Event Log: Enable "Object Access" auditing in Group Policy to track file creation under Event ID 4663.
PowerShell: Real-time monitoring of file creation:Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}

Linux

Auditd: Use audit rules to monitor file creation: auditctl -w /path/to/directory -p w -k file_creation
View logs: ausearch -k file_creation
Inotify: Monitor file creation with inotifywait: inotifywait -m /path/to/watch -e create

macOS

Unified Logs: Use the macOS Unified Logging System to capture file creation events.
FSEvents: Use File System Events to monitor file creation: fs_usage | grep create

Network Devices

NAS Logs: Monitor file creation events on network-attached storage devices.
SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols.

SIEM Integration

Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting.

ID: DC0039

Domains: ICS, Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
auditd:FILE	File creation with name starting with '.'
auditd:FILE	create: New file created in system binaries or temp directories
auditd:FILE	create: Creation of .zip, .gz, .bz2 files in /tmp, /var/tmp, or /home directories
auditd:FILE	create: Creation of archive files in /tmp, /var/tmp, or user home directories
auditd:FILE	create: Creation of files with anomalous headers and entropy levels in /tmp or user directories
auditd:FILE	Creation of hidden files (.*) in sensitive directories (/etc, /var, /usr/bin)
auditd:FILE	create: Creation of files ending in .tar, .gz, .bz2, .zip in /tmp or /var/tmp
auditd:PATH	Creation of files with extensions .sql, .csv, .sqlite, especially in user directories
auditd:PATH	New .py/.js/.sh files written to ~/.local/, ~/.cache/, or /tmp/ within 5 min of package install
auditd:PATH	mount target path within /proc/*
auditd:PATH	creation of .so files in non-standard directories (e.g., /tmp, /home/*)
auditd:PATH	WRITE: Drop of binaries/scripts in ~/.local, /tmp, or /opt tool dirs
auditd:SYSCALL	creat
auditd:SYSCALL	open or creat syscalls targeting excluded paths
auditd:SYSCALL	file creation/modification
auditd:SYSCALL	open,creat,rename: Writes in $HOME/Downloads, /tmp, ~/.cache with exe/script/archive/office extensions
auditd:SYSCALL	write/open, FIM audit
auditd:SYSCALL	open: Write to ~/.vscode-cli/code_tunnel.json
auditd:SYSCALL	write
auditd:SYSCALL	open, unlink, rename: File creation or deletion involving critical stored data
auditd:SYSCALL	creat, open, write on /etc/systemd/system and /usr/lib/systemd/system
auditd:SYSCALL	write, open, or rename to /etc/systemd/system/*.service
auditd:SYSCALL	open/create/rename: name in (/home//Downloads/\|/tmp/\|/run/user/\|/media/*) AND ext in SuspiciousExtensions
auditd:SYSCALL	File creations of .qcow2, .vdi, *.vmdk outside standard VM directories
auditd:SYSCALL	open: File creation under /tmp, /var/tmp, ~/.cache with executable bit or shell shebang
auditd:SYSCALL	open, write, unlink
auditd:SYSCALL	File creation events in /var/mail or /var/spool/mail exceeding baseline thresholds
auditd:SYSCALL	write or create file after .bash_history access
auditd:SYSCALL	new file created in /var/www/html, /srv/http, or similar web root
auditd:SYSCALL	Access or modification to /lib/modules or creation of .ko files
auditd:SYSCALL	open,create
auditd:SYSCALL	open,creat,rename,write
AWS:CloudTrail	PutObject
CloudTrail:PutObject	PutObject
esxi:vmkernel	file write
esxi:vmkernel	VMFS file creation
File	None
fs:fileevents	creat
fs:fileevents	create/write/rename in user-writable paths
fs:fsevents	Create in /Users//Downloads or /private/var/folders/ with quarantine attribute
fs:fsevents	Directory events (kFSEventStreamEventFlagItemCreated)
fs:fsusage	open/write/exec calls
fs:fsusage	disk activity on /Library/LaunchAgents or LaunchDaemons
fs:fsusage	File IO
fs:fsusage	file activity
fs:fsusage	file open/write
fs:fsusage	create: Attachment file creation in ~/Library/Mail directories
fs:fsusage	write or chmod to ~/Library/LaunchAgents/*.plist
fs:fsusage	file write
fs:launchdaemons	file_create
gcp:workspaceaudit	drive.activity logs
linux:osquery	file_events
linux:Sysmon	New files in /tmp, /var/tmp, $HOME/.cache, executed within TimeWindow after browser HTTP fetch
macos:endpointsecurity	ES_EVENT_TYPE_NOTIFY_CREATE: path under /Users//(Downloads\|Desktop\|Library//Containers\|Library/Group Containers) AND extension in SuspiciousExtensions
macos:endpointsecurity	es_event_open
macos:fsevents	/Library/StartupItems/, ~/Library/LaunchAgents/
macos:osquery	CREATE/MODIFY: Modification of app.asar inside .app bundle
macos:osquery	file_events
macos:osquery	CREATE/MODIFY: Creation of LaunchAgents/Daemons plists in user/system locations
macos:unified	File creation
macos:unifiedlog	file write
macos:unifiedlog	Creation or modification of browser extension .plist files
macos:unifiedlog	file creation in AV exclusion directories
macos:unifiedlog	file write/create
macos:unifiedlog	file events
macos:unifiedlog	Creation of .plist under /Library/Managed Preferences/
macos:unifiedlog	creation of ~/.vscode-cli/code_tunnel.json
macos:unifiedlog	create/modify dylib files in monitored directories
macos:unifiedlog	New files written to /var/folders, /tmp, ~/Library/Caches, or ~/Downloads by browser context or its children
macos:unifiedlog	File created in ~/Library/LaunchAgents or executable directories
macos:unifiedlog	Process wrote large .mov/.mp4 in user temp/hidden dirs
macos:unifiedlog	logd:file write
macos:unifiedlog	Attachment files written to ~/Downloads or temporary folders
macos:unifiedlog	Writes of .sql/.csv/.xlsx files to user documents/downloads
macos:unifiedlog	Creation of .zip, .gz, .dmg archives in /Users, /tmp, or application directories
macos:unifiedlog	Creation of .zip, .dmg, .tar.gz files in /Users, /tmp, or application directories
macos:unifiedlog	File Events
macos:unifiedlog	Creation or modification of postinstall scripts within .pkg or .mpkg contents
macos:unifiedlog	create: New files in /tmp or ~/Library/Application Support/* with executable or script extensions
macos:unifiedlog	File creation of unsigned binaries/scripts in user cache or download directories
macos:unifiedlog	Creation of files with anomalous headers and entropy values
macos:unifiedlog	Creation of LaunchAgents/LaunchDaemons in hidden or non-standard directories
macos:unifiedlog	Creation of .zip or .dmg files in user-accessible or temporary directories
macos:unifiedlog	file create or modify in /etc/emond.d/rules or /private/var/db/emondClients
macos:unifiedlog	Writes under ~/Library/Application Support/Code*/extensions or JetBrains plugins
snmp:syslog	firmware write/log event
WinEventLog:Microsoft-Windows-Shell-Core	New startup folder shortcut or binary placed in Startup directory
WinEventLog:Sysmon	EventCode=11
WinEventLog:Sysmon	Modification of .asar in /opt or ~/.config directories
WinEventLog:Sysmon	File creation of suspicious scripts/binaries in temporary directories

Detection Strategy

ID	Name	Technique Detected
DET0186	Automated File and API Collection Detection Across Platforms	T1119
DET0088	Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002)	T1518.002
DET0496	Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic)	T1219
DET0556	Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows)	T1127.001
DET0585	Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows)	T1127.003
DET0151	Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery	T1124
DET0197	Behavior-chain, platform-aware detection strategy for T1125 Video Capture	T1125
DET0172	Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows)	T1127
DET0018	Behavior-chain, platform-aware detection strategy for T1129 Shared Modules	T1129
DET0537	Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run)	T1195
DET0590	Behavioral Detection of External Website Defacement across Platforms	T1491.002
DET0378	Behavioral Detection of Obfuscated Files or Information	T1027
DET0106	Behavioral Detection of PE Injection via Remote Memory Mapping	T1055.002
DET0231	Behavioral Detection of Systemd Timer Abuse for Scheduled Execution	T1053.006
DET0131	Behavioral Detection Strategy for Exfiltration Over Alternative Protocol	T1048
DET0221	Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS	T1123
DET0274	Boot or Logon Autostart Execution Detection Strategy	T1547
DET0309	Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)	T1195.002
DET0085	Credential Dumping from SAM via Registry Dump and Local File Access	T1003.002
DET0090	Cross-host C2 via Removable Media Relay	T1092
DET0094	Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse	T1053
DET0238	Defacement via File and Web Content Modification Across Platforms	T1491
DET0122	Detect Abuse of Windows Time Providers for Persistence	T1547.003
DET0381	Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL	T1552.006
DET0385	Detect Access and Parsing of .bash_history Files for Credential Harvesting	T1552.003
DET0412	Detect Access or Search for Unsecured Credentials Across Platforms	T1552
DET0307	Detect Access to Unsecured Credential Files Across Platforms	T1552.001
DET0275	Detect Adversary Deobfuscation or Decoding of Files and Payloads	T1140
DET0526	Detect Archiving and Encryption of Collected Data (T1560)	T1560
DET0438	Detect Archiving via Custom Method (T1560.003)	T1560.003
DET0268	Detect Archiving via Library (T1560.002)	T1560.002
DET0298	Detect Archiving via Utility (T1560.001)	T1560.001
DET0336	Detect Compromise of Host Software Binaries	T1554
DET0022	Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM	T1187
DET0060	Detect Ingress Tool Transfers via Behavioral Chain	T1105
DET0047	Detect Local Email Collection via Outlook Data File Access and Command Line Tooling	T1114.001
DET0561	Detect malicious IDE extension install/usage and IDE tunneling	T1176.002
DET0472	Detect Malicious Password Filter DLL Registration	T1556.002
DET0257	Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files	T1553.005
DET0429	Detect Modification of macOS Startup Items	T1037.005
DET0580	Detect Network Provider DLL Registration and Credential Capture	T1556.008
DET0398	Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks	T1137
DET0050	Detect Persistence via Malicious Office Add-ins	T1137.006
DET0519	Detect Persistence via Office Template Macro Injection or Registry Hijack	T1137.001
DET0315	Detect Persistence via Office Test Registry DLL Injection	T1137.002
DET0365	Detect Registry and Startup Folder Persistence (Windows)	T1547.001
DET0452	Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation	T1553
DET0549	Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms	T1552.004
DET0225	Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)	T1547.008
DET0069	Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network)	T1200
DET0361	Detecting .NET COM Registration Abuse via Regsvcs/Regasm	T1218.009
DET0433	Detecting Code Injection via mavinject.exe (App-V Injector)	T1218.013
DET0025	Detecting Electron Application Abuse for Proxy Execution	T1218.015
DET0044	Detecting Malicious Browser Extensions Across Platforms	T1176.001
DET0222	Detecting MMC (.msc) Proxy Execution and Malicious COM Activation	T1218.014
DET0506	Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation	T1218.005
DET0235	Detecting Steganographic Command and Control via File + Network Correlation	T1001.002
DET0554	Detection of Bluetooth-Based Data Exfiltration	T1011.001
DET0363	Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence	T1003.001
DET0480	Detection of Credential Harvesting via Web Portal Modification	T1056.003
DET0146	Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns	T1485
DET0123	Detection of Data Exfiltration via Removable Media	T1052
DET0014	Detection of Data Staging Prior to Exfiltration	T1074
DET0782	Detection of Drive-by Compromise	T0817
DET0077	Detection of Exfiltration Over Alternate Network Interfaces	T1011
DET0305	Detection of Group Policy Modifications via AD Object Changes and File Activity	T1484.001
DET0377	Detection of Kernel/User-Level Rootkit Behavior Across Platforms	T1014
DET0745	Detection of Lateral Tool Transfer	T0867
DET0434	Detection of Launch Agent Creation or Modification on macOS	T1543.001
DET0013	Detection of Local Browser Artifact Access for Reconnaissance	T1217
DET0380	Detection of Local Data Collection Prior to Exfiltration	T1005
DET0261	Detection of Local Data Staging Prior to Exfiltration	T1074.001
DET0138	Detection of Malicious Code Execution via InstallUtil.exe	T1218.004
DET0194	Detection of Malicious Control Panel Item Execution via control.exe or Rundll32	T1218.002
DET0092	Detection of Malicious or Unauthorized Software Extensions	T1176
DET0328	Detection of Malicious Profile Installation via CMSTP.exe	T1218.003
DET0439	Detection of Malware Relocation via Suspicious File Movement	T1070.010
DET0215	Detection of Multi-Platform File Encryption for Impact	T1486
DET0132	Detection of Mutex-Based Execution Guardrails Across Platforms	T1480.002
DET0586	Detection of NTDS.dit Credential Dumping from Domain Controllers	T1003.003
DET0071	Detection of Remote Data Staging Prior to Exfiltration	T1074.002
DET0733	Detection of Replication Through Removable Media	T0847
DET0466	Detection of Script-Based Proxy Execution via Signed Microsoft Utilities	T1216
DET0781	Detection of Spearphishing Attachment	T0865
DET0342	Detection of Suspicious Compiled HTML File Execution via hh.exe	T1218.001
DET0441	Detection of Suspicious Scheduled Task Creation and Execution on Windows	T1053.005
DET0253	Detection of Systemd Service Creation or Modification on Linux	T1543.002
DET0471	Detection of Tainted Content Written to Shared Storage	T1080
DET0220	Detection of USB-Based Data Exfiltration	T1052.001
DET0033	Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification	T1546.008
DET0017	Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows)	T1546.011
DET0332	Detection Strategy for AutoHotKey & AutoIT Abuse	T1059.010
DET0428	Detection Strategy for Bind Mounts on Linux	T1564.013
DET0237	Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts	T1037.004
DET0501	Detection Strategy for Compile After Delivery - Source Code to Executable Transformation	T1027.004
DET0281	Detection Strategy for Compressed Payload Creation and Execution	T1027.015
DET0349	Detection Strategy for Content Injection	T1659
DET0410	Detection Strategy for Data from Network Shared Drive	T1039
DET0059	Detection Strategy for Data Manipulation	T1565
DET0366	Detection Strategy for Double File Extension Masquerading	T1036.007
DET0355	Detection Strategy for Email Bombing	T1667
DET0214	Detection Strategy for Embedded Payloads	T1027.009
DET0219	Detection Strategy for Escape to Host	T1611
DET0555	Detection Strategy for Event Triggered Execution via emond on macOS	T1546.014
DET0548	Detection Strategy for Exfiltration Over Web Service	T1567
DET0150	Detection Strategy for File Creation or Modification of Boot Files	T1542.003
DET0051	Detection Strategy for File/Path Exclusions	T1564.012
DET0344	Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory	T1027.011
DET0171	Detection Strategy for Forged Web Cookies	T1606.001
DET0502	Detection Strategy for Hidden Artifacts Across Platforms	T1564
DET0032	Detection Strategy for Hidden Files and Directories	T1564.001
DET0321	Detection Strategy for Hidden Virtual Instance Execution	T1564.006
DET0218	Detection Strategy for Hijack Execution Flow across OS platforms.	T1574
DET0201	Detection Strategy for Hijack Execution Flow for DLLs	T1574.001
DET0064	Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path	T1574.009
DET0436	Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness.	T1574.010
DET0517	Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows.	T1574.014
DET0038	Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness	T1574.005
DET0004	Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable.	T1574.007
DET0564	Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking	T1574.008
DET0479	Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER.	T1574.012
DET0152	Detection Strategy for Hijack Execution Flow: Dylib Hijacking	T1574.004
DET0435	Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking	T1574.006
DET0313	Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop	T1027.006
DET0189	Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification	T1027.005
DET0322	Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns	T1027.016
DET0450	Detection Strategy for Kernel Modules and Extensions Autostart Execution	T1547.006
DET0183	Detection Strategy for Lateral Tool Transfer across OS platforms	T1570
DET0401	Detection Strategy for Launch Daemon Creation or Modification (macOS)	T1543.004
DET0101	Detection Strategy for Lua Scripting Abuse	T1059.011
DET0226	Detection Strategy for Masquerading via File Type Modification	T1036.008
DET0347	Detection Strategy for Masquerading via Legitimate Resource Name or Location	T1036.005
DET0432	Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)	T1564.004
DET0553	Detection Strategy for Obfuscated Files or Information: Binary Padding	T1027.001
DET0070	Detection Strategy for Phishing across platforms.	T1566
DET0324	Detection Strategy for Polymorphic Code Mutation and Execution	T1027.014
DET0451	Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification	T1546.013
DET0544	Detection Strategy for Process Doppelgänging on Windows	T1055.013
DET0391	Detection Strategy for Runtime Data Manipulation.	T1565.003
DET0236	Detection Strategy for Spearphishing Attachment across OS Platforms	T1566.001
DET0115	Detection Strategy for Spearphishing via a Service across OS Platforms	T1566.003
DET0193	Detection Strategy for Stored Data Manipulation across OS Platforms.	T1565.001
DET0019	Detection Strategy for Stripped Payloads Across Platforms	T1027.008
DET0510	Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior	T1027.017
DET0475	Detection Strategy for T1218.011 Rundll32 Abuse	T1218.011
DET0166	Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux)	T1505.002
DET0068	Detection Strategy for T1505.004 - Malicious IIS Components	T1505.004
DET0212	Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows)	T1505.005
DET0278	Detection Strategy for T1542 Pre-OS Boot	T1542
DET0099	Detection Strategy for T1542.001 Pre-OS Boot: System Firmware	T1542.001
DET0330	Detection Strategy for T1546.016 - Event Triggered Execution via Installer Packages	T1546.016
DET0180	Detection Strategy for T1547.009 – Shortcut Modification (Windows)	T1547.009
DET0204	Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows)	T1547.010
DET0012	Detection Strategy for VBA Stomping	T1564.007
DET0176	Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189)	T1189
DET0287	Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps)	T1203
DET0118	Exploitation of Remote Services – multi-platform lateral movement detection	T1210
DET0133	IDE Tunneling Detection via Process, File, and Network Behaviors	T1219.001
DET0200	Indirect Command Execution – Windows utility abuse behavior chain	T1202
DET0082	Internal Website and System Content Defacement via UI or Messaging Modifications	T1491.001
DET0390	Linux Detection Strategy for T1547.013 - XDG Autostart Entries	T1547.013
DET0562	Multi-Platform Execution Guardrails Environmental Validation Detection Strategy	T1480
DET0299	Multi-Platform File and Directory Permissions Modification Detection Strategy	T1222
DET0105	Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools	T1110.002
DET0370	Recursive Enumeration of Files and Directories Across Privilege Contexts	T1083
DET0259	Remote Desktop Software Execution and Beaconing Detection	T1219.002
DET0301	Removable Media Execution Chain Detection via File and Process Activity	T1091
DET0005	Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path	T1036.003
DET0009	Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)	T1195.001
DET0242	Suspicious Database Access and Dump Activity Across Environments (T1213.006)	T1213.006
DET0340	User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004	T1204.004
DET0294	User Execution – Malicious File via download/open → spawn chain (T1204.002)	T1204.002
DET0066	User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity)	T1204.001
DET0478	User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)	T1204
DET0252	User-Initiated Malicious Library Installation via Package Manager (T1204.005)	T1204.005
DET0394	Web Shell Detection via Server Behavior and File Execution Chains	T1505.003
DET0418	Windows DACL Manipulation Behavioral Chain Detection Strategy	T1222.001
DET0026	Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence	T1547.012