Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Sysmon Blocked Executable

Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Aug 16Updated Sat Sep 1623b71bc5-953e-4971-be4c-c896cda73fc2windows
Log Source
Windowssysmon
ProductWindows← raw: windows
Servicesysmon← raw: sysmon
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 27  # this is fine, we want to match any FileBlockExecutable event
    condition: selection
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
medium.com
MITRE ATT&CK
Rule Metadata
Rule ID
23b71bc5-953e-4971-be4c-c896cda73fc2
Status
test
Level
high
Type
Detection
Created
Tue Aug 16
Modified
Sat Sep 16
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/sysmon/sysmon_file_block_executable.yml
Raw Tags
attack.defense-evasion
View on GitHub