Event ID 29 — FileExecutableDetected
Description
This event is generated when Sysmon detects the creation of a new executable file.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | — |
UtcTime UnicodeString → string | — |
ProcessGuid GUID → GUID | — |
ProcessId UInt32 → PID | — |
User UnicodeString → string | — |
Image UnicodeString → string | — |
TargetFilename UnicodeString → string | — |
Hashes UnicodeString → string | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 29,
"version": 5,
"level": 4,
"task": 29,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T19:59:50.724328+00:00",
"event_record_id": 25592993,
"correlation": {},
"execution": {
"process_id": 3516,
"thread_id": 4964
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-03-13 19:59:50.723",
"ProcessGuid": "3792AB3B-6CAF-69B4-C304-000000000800",
"ProcessId": 6332,
"User": "NT AUTHORITY\\SYSTEM",
"Image": "C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe",
"TargetFilename": "C:\\Windows\\WinSxS\\Temp\\InFlight\\4d85a1f323b3dc0131020000bc18500b\\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.22621.1_none_e8f6dc1e2b2810c4\\hcsdiag.exe",
"Hashes": "SHA1=4151B8801065408E851608F5F586E83F841DDF73,MD5=5CDE58E943D06BF77B4595CF917E4BD6,SHA256=148B44E4D5251D533F66EB2352AE396DB612AE926703682C8CD271ADC8A8B03A,IMPHASH=BC0760AED3654197B70538C4350C093A"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potentially Suspicious Self Extraction Directive File Created source medium: Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.
- Sysmon File Executable Creation Detected source medium: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
Splunk # view in reference
- Windows Executable Masquerading as Benign File Types source: The following analytic detects the presence of executable files masquerading as benign file types on Windows systems. Adversaries employ this technique to evade defenses and trick users into executing malicious code by renaming executables with extensions commonly associated with documents, images, or other non-executable formats (e.g., .pdf, .jpg, .doc, .png).