Event ID 27 — FileBlockExecutable
Description
This event is generated when Sysmon detects and blocks the creation of executable files.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | — |
UtcTime UnicodeString → string | — |
ProcessGuid GUID → GUID | — |
ProcessId UInt32 → PID | — |
User UnicodeString → string | — |
Image UnicodeString → string | — |
TargetFilename UnicodeString → string | — |
Hashes UnicodeString → string | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 27,
"version": 5,
"level": 4,
"task": 27,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-08-29T04:43:48.128507Z",
"event_record_id": 1341,
"correlation": {},
"execution": {
"process_id": 2060,
"thread_id": 7132
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "DESKTOP-VQBONAV",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "ImageBlock",
"UtcTime": "2022-08-29 04:43:48.117",
"ProcessGuid": "3E153517-4404-630C-0003-000000000400",
"ProcessId": 8636,
"User": "DESKTOP-VQBONAV\\user",
"Image": "C:\\Windows\\system32\\certutil.exe",
"TargetFilename": "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\02E7958E9A9619FDA0A027756E601291",
"Hashes": "MD5=E112A827FAB9F8378C76040187A6F336,SHA256=ED369187681A62247E38D930320F1CD771756D0B7B67072D8EC655EF99E14AEB,IMPHASH=8EEAA9499666119D13B3F44ECD77A729"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Sysmon Blocked Executable source high: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-27-fileblockexecutable
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx