Detection rules › Sigma

Sysmon File Executable Creation Detected

Severity: medium
Author: frack113
Source: upstream

Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.

Event coverage

Provider	Event ID	Title
Sysmon	29	FileExecutableDetected

Stages and Predicates

Stage 1: `selection`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Windows Executable Masquerading as Benign File Types [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Potentially Suspicious Self Extraction Directive File Created [sigma] (adds 1 filter)