Sysmon Blocked Executable
Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
Sigma rule (View on GitHub)
1title: Sysmon Blocked Executable
2id: 23b71bc5-953e-4971-be4c-c896cda73fc2
3status: experimental
4description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
5references:
6 - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/16
9modified: 2023/09/16
10tags:
11 - attack.defense_evasion
12logsource:
13 product: windows
14 service: sysmon
15detection:
16 selection:
17 EventID: 27 # this is fine, we want to match any FileBlockExecutable event
18 condition: selection
19falsepositives:
20 - Unlikely
21level: high
References
-
The Sysinternals team has released a new version of Sysmon. This brings the version number to 14.0 and raises the schema to 4.82.
Read More
Related rules
- Amsi.DLL Loaded Via LOLBIN Process
- DLL Load By System Process From Suspicious Locations
- DNS Query Request By Regsvr32.EXE
- Greedy File Deletion Using Del
- OceanLotus Registry Activity