Sysmon Playbook Event ID 15

When a file is downloaded from the internet it is saved to the local system. File streams are recorded by this event id when the file is being downloaded mostly from web browser. As evident in the picture we can see the Image is Chrome.exe and Target File Name is Mimikatz file.

It is pertinent to mentioned that the functionality of Windows Defender is that it will check all apps in browser and then it removes the zone identifier when it is checked. Zone identifier is possibly used only to see if the file was downloaded from internet or any other zone.

As Mimikatz was being downloaded, If we see the flow of the events created we can see the Sysmon Event ID 11 (File Creation Event) is recorded when initially a temporary file is created while download started. Once download was complete, Sysmon Event ID 15 (File Create Stream Hash) was recorded when the system changed the temporary file into a complete downloaded file.

Hash displayed above was checked on Virus Total and it was confirmed malicious.

Once the file was downloaded, system started creating it’s Zone Identifier file for which we can see the Sysmon Event ID 11 (File Creation Event) and later Sysmon Event ID 15 (File Create Stream Hash) are observed. The special thing to note here is the Contents Column where we see the details were being appended overtime.

First only the Zone-Identifier number was added, then the Referral URL was added and at the end complete link of the internet from where the file was actually downloaded.

It should be noted that the MD5 hashes of the Zone-Identifier files were also checked on the Virus total and they were clean as expected.

Value of Sysmon Event ID 15

For downloaded files the content field would be empty and only the hashes can be checked against virus total to identify if the FileStreamHash is malicious or clean.

For events where the system creates Zone Identifier files and Content field is completely appended with all details, it should be parsed properly and Referral URL and Host URL should be checked for maliciousness.

This would be an important use case to identify the malicious files downloaded from internet, in order to trace their origin.

Possible Detection Query

EventCode=”15″ AND Contents CONTAINS “HostUrl”

This should filter only the last appended Zone Identifier events which contain the URLs from which any system is downloading the files.

Leave a Reply

Your email address will not be published. Required fields are marked *