Event ID 28 — FileBlockShredding
Description
This event is generated when Sysmon detects and blocks file shredding.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | — |
UtcTime UnicodeString → string | — |
ProcessGuid GUID → GUID | — |
ProcessId UInt32 → PID | — |
User UnicodeString → string | — |
Image UnicodeString → string | — |
TargetFilename UnicodeString → string | — |
Hashes UnicodeString → string | — |
IsExecutable Boolean → boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 28,
"version": 5,
"level": 4,
"task": 28,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T03:06:00.105995+00:00",
"event_record_id": 36714962,
"correlation": {},
"execution": {
"process_id": 3860,
"thread_id": 5148
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-03-12 03:06:00.101",
"ProcessGuid": "3792AB3B-0B4D-69B1-4300-000000000F00",
"ProcessId": 3544,
"User": "NT AUTHORITY\\LOCAL SERVICE",
"Image": "C:\\Windows\\System32\\svchost.exe",
"TargetFilename": "C:\\Windows\\System32\\sru\\SRU.log",
"Hashes": "SHA1=1ADC95BEBE9EEA8C112D40CD04AB7A8D75C4F961,MD5=FCD6BCB56C1689FCEF28B57C22475BAD,SHA256=DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31,IMPHASH=00000000000000000000000000000000",
"IsExecutable": false
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Sysmon Blocked File Shredding source high: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.