Sysmon File Executable Creation Detected

Aug 12, 2024 · attack.defense-evasion ·

Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.

Sigma rule (View on GitHub)

 1title: Sysmon File Executable Creation Detected
 2id: 693a44e9-7f26-4cb6-b787-214867672d3a
 3status: test
 4description: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
 5references:
 6    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
 7    - https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
 8author: frack113
 9date: 2023-07-20
10tags:
11    - attack.defense-evasion
12logsource:
13    product: windows
14    service: sysmon
15detection:
16    selection:
17        EventID: 29  # this is fine, we want to match any FileExecutableDetected event
18    condition: selection
19falsepositives:
20    - Unlikely
21level: medium

References

Sysmon - Sysinternals

Monitors and reports key system activity via the Windows event log.

Read More
Sysmon 15.0 — File executable detected

Sysmon 15 has just been released and has received several bug fixes, one among them which could prevent a machine from booting while…

Read More

Sysmon File Executable Creation Detected

Sigma rule (View on GitHub)

References

Sysmon - Sysinternals

Sysmon 15.0 — File executable detected

Related rules