Contents x
    Files
    • 19 Jun 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents
      This documentation version is deprecated, please click here for the latest version.

    Files

    • Updated on 19 Jun 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    FILE_CREATE

    Generated when a file is created.

    Platforms:

    {
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Microsoft\\Windows\\WebCache\\V01tmp.log",
  "TIMESTAMP": 1468335271948
}

    FILE_DELETE

    Generated when a file is deleted.

    Platforms:

    {
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\EBA4E4F0-3020-459E-9E34-D5336E244F05\\api-ms-win-core-processthreads-l1-1-2.dll",
  "TIMESTAMP": 1468335611906
}

    FILE_TYPE_ACCESSED

    Generated when a new process is observed interacting with certain file types (like .doc). These can be used as indicators of an unknown process exfiltrating files it should not, or ransom-ware.

    This is the mapping between rule name ID and extensions:

    • 1 = .doc
    • 1 = .docm
    • 1 = .docx
    • 2 = .xlt
    • 2 = .xlsm
    • 2 = .xlsx
    • 3 = .ppt
    • 3 = .pptm
    • 3 = .pptx
    • 3 = .ppts
    • 4 = .pdf
    • 5 = .rtf
    • 50 = .zip
    • 51 = .rar
    • 64 = .locky
    • 64 = .aesir

    Platforms:

    {
  "PROCESS_ID": 2048,
  "RULE_NAME": 50,
  "FILE_PATH": "C:\ \Program Files\\7-Zip\\7zG.exe"
}

    The RULE_NAME component is the class of file extension involved:

    • Rule 1: .doc, .docm, .docx
    • Rule 2: .xlt, .xlsm, .xlsx
    • Rule 3: .ppt, .pptm, .pptx, .ppts
    • Rule 4: .pdf
    • Rule 5: .rtf
    • Rule 50: .zip
    • Rule 51: .rar
    • Rule 64: .locky, .aesir

    FILE_MODIFIED

    Generated when a file is modified.

    Platforms:

    {
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Microsoft\\Windows\\WebCache\\V01.log",
  "TIMESTAMP": 1468335272949
}

    NEW_DOCUMENT

    Generated when a file is created that matches a set list of locations and extensions. It indicates the file has been cached in memory and can be retrieved using the doc_cache_get task.

    The following file patterns are considered "documents":

    • .bat
    • .js
    • .ps1
    • .sh
    • .py
    • .exe
    • .scr
    • .pdf
    • .doc
    • .docm
    • .docx
    • .ppt
    • .pptm
    • .pptx
    • .xlt
    • .xlsm
    • .xlsx
    • .vbs
    • .rtf
    • .hta
    • .lnk
    • .xsl
    • .com
    • .png
    • .jpg
    • .asp
    • .aspx
    • .php
    • \windows\system32\

    Platforms:

    {
  "FILE_PATH": "C:\\Users\\dev\\Desktop\\evil.exe",
  "TIMESTAMP": 1468335816308,
  "HASH": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}
    Was this article helpful?
    What's Next