Sysmon Blocked Executable
Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
Sigma rule (View on GitHub)
1title: Sysmon Blocked Executable
2id: 23b71bc5-953e-4971-be4c-c896cda73fc2
3status: test
4description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
5references:
6 - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-16
9modified: 2023-09-16
10tags:
11 - attack.defense-evasion
12logsource:
13 product: windows
14 service: sysmon
15detection:
16 selection:
17 EventID: 27 # this is fine, we want to match any FileBlockExecutable event
18 condition: selection
19falsepositives:
20 - Unlikely
21level: high
References
-
The Sysinternals team has released a new version of Sysmon. This brings the version number to 14.0 and raises the schema to 4.82.
Read More
Related rules
- AD Object WriteDAC Access
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators