Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FileCreate event #182

Open
aminassadi opened this issue Jun 28, 2024 · 0 comments
Open

FileCreate event #182

aminassadi opened this issue Jun 28, 2024 · 0 comments
Assignees
@MarioHewardt

Comments

@aminassadi
Copy link

Describe the bug
When utilizing the creat system call to generate a new file, a FileCreate event is triggered. Conversely, no such event is reported when employing the open system call for file creation. Additionally, attempting to open an already existing file with the creat system call results in a FileCreate event being generated

To Reproduce
I wrote a simple programm to test it.

create a new file with creat system call

#include 
#include 
#include 
int main(int, char**)
{
    mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
    char* pathname = "./test";
    int fd = creat(pathname, mode); //A call to creat() is equivalent to calling open() with flags equal to O_CREAT|O_WRONLY|_TRUNC.
    if(fd < 0)
    {
        printf("failed\n");
    }   
    else{
        printf("successfull\n");
    }
}

create a new file with open system call


#include 
#include 
#include 

int main()
{
    mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
    char* pathname = "./test";
    int fd = open(pathname, O_CREAT|O_WRONLY|O_TRUNC, mode); //this is equivalent to creat
    if(fd < 0)
    {
        printf("failed\n");
    }   
    else{
        printf("successfull\n");
    }

}

Sysmon version
Sysmon v1.3.3

Distro/kernel version
Ubuntu 22.04.2 LTS 6.5.0-28-generic

Sysmon configuration
Screenshot from 2024-06-28 18-23-58

Additional context
I discovered that Sysmon logs a FileCreate event upon receiving the syscall number __NR_CREAT, and it records a FileOpen event when encountering __NR_OPEN during the open system call. Within the open system call hook point handler, Sysmon evaluates the equivalence of the access, change, and modification times associated with the file. If all these timestamps match and the duration between the event times is under 100 milliseconds, it triggers a FileOpen event (which seemingly contradicts the notion of file creation). Notably, Sysmon does not perform this timestamp comparison in the creat system call hook point, consequently report FileCreate event in each creat system call even if the file already exist.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MarioHewardt MarioHewardt

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MarioHewardt @aminassadi