olafhartong
commented
4 years ago This is not a Sysmon issue, this is due to the behaviour of urlmon.dll https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms775123%28v%3Dvs.85%29, the library responsible for downloading files via HTTP. This opens and closes the stream multiple times to append MOTW information.
On Fri, Jun 12, 2020 at 7:14 AM YUVRAJ TAKEY notifications@github.com wrote:
After enabling the FileCreateStreamHash event in sysmon, I am downloading one file from the browser, but in the event viewer, it is showing 3 entries of the same file (This same problem I am facing in my WinAPI code, there also I am receiving 3 event logs of the same entry). This is my config file
`
* Temp\7z Startup .bat .cmd .hta .lnk .ppt .ps1 .ps2 .reg .jse .vb .vbe .vbs .msi .exe .dll `
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/SwiftOnSecurity/sysmon-config/issues/121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6FXC66PFM2ZQUQB4FTLLDRWG2R7ANCNFSM4N4ACPEA .
--
-- https://olafhartong.nl +31 6 20604042
Yuvraj-Takey
After enabling the FileCreateStreamHash event in sysmon, I am downloading one file from the browser, but in the event viewer, it is showing N(sometimes 3,4) entries of the same file (This same problem I am facing in my WinAPI code, there also I am receiving N event logs of the same entry). This is my config file
`
`