Sysmon File Executable Creation Detected
Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
Sigma rule (View on GitHub)
1title: Sysmon File Executable Creation Detected
2id: 693a44e9-7f26-4cb6-b787-214867672d3a
3status: experimental
4description: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
5references:
6 - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
7 - https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
8author: frack113
9date: 2023/07/20
10tags:
11 - attack.defense_evasion
12logsource:
13 product: windows
14 service: sysmon
15detection:
16 selection:
17 EventID: 29 # this is fine, we want to match any FileExecutableDetected event
18 condition: selection
19falsepositives:
20 - Unlikely
21level: medium
References
Related rules
- Amsi.DLL Loaded Via LOLBIN Process
- DLL Load By System Process From Suspicious Locations
- DNS Query Request By Regsvr32.EXE
- Greedy File Deletion Using Del
- OceanLotus Registry Activity