Sysmon 11.1 Bug fixes, a schema update and a new field

Olaf Hartong
Jun 24 · 3 min read

Sysmon 11.1 has been released, almost a month after the release of version 11.0

Unofficial release notes :

  • On some Windows builds the ProcessCreation events (EventID 1) were not created, this has been resolved
  • Updated file stream hash event to capture the contents of text streams < 1KB, with the goal of capturing Mark Of The Web i(MOTW) streams.
  • To accommodate this new field, the schema has been updated to 4.31, check it out here
  • The -a command-line option has been removed. To set a custom archive directory the configuration option has to be used in the root section of the configuration file.
  • Fixed a bug that restored read-only files to the same directory, irrelevant of the FileDelete configuration.

Mark pointed out that he wants to limit the command-line options in favour of configuration parameters, which I appreciate. It’s a lot easier to maintain it this way, especially in an enterprise environment.

New: Mark Of The Web capture

Each downloaded file is is tagged with a hidden NTFS Alternate Data Stream file named Zone.Identifier.

You can check for the presence of this “Mark of the Web” (MotW) using dir /r or programmatically, and you can view the contents of the MotW stream using Notepad:

Image for post
Image for post
Zone Identifier data for the Sysmon download

This data will now also be captured by Sysmon in the FileStreamHash event (EventID 15) in the Contents field.

Please note that you will see 3–6 events per downloaded file. This is due to the behaviour of urlmon.dll, the library responsible for downloading files via HTTP. This opens and closes the stream multiple times to append MOTW information.

Image for post
Image for post
Example of multiple events for one single download
Image for post
Image for post
All FileStreamHash events generated during a file download

This feature is enabled by default and cannot be configured specifically. Once you enable the FileStreamHash event (EventID 15) for certain directories it will be included from there on out.

So What?

So you can see URLs for a downloaded file, is this useful? Why yes, most certainly. This will make triage in a lot of cases a lot more straight forward since you now have a clear source of the malicious file.

I’ve demonstrated it above with a PE file but the same is valid for other file types, like word documents and so on.

Image for post
Image for post
Random doc file download as an example

It would make sense to at least point this at the Downloads folder of a user and possibly some additional folders, like the office download folders and so on.


A team of highly specialized security professionals

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store