Security News > 2023 > June > Microsoft Sysmon now detects when executables files are created
Microsoft has released Sysmon 15, converting it into a protected process and adding the new 'FileExecutableDetected' option to log when executable files are created.
Users can find the complete list of directives in the Sysmon schema, which can be viewed by running the sysmon -s command at the command line.
Yesterday, Microsoft released Sysmon 15.0, which includes two new features - the hardening of the program by turning it into a protected process and the ability to detect when executable files are created on the monitored system.
To start Sysmon and direct it to use the above configuration file, you would execute the sysmon -i command and pass the configuration file's name.
With the FileExecutableDetected feature enabled, when a new executable file is created under the C:ProgramData or C:Users folder, Sysmon will generated an executable is created and matches a rule, Sysmon will block the file and generate an 'Event 29, File Executable Detected' entry in Event Viewer.
For those who want a premade Sysmon configuration file that uses this feature to detect when known malware or hack tool executables are created, you can use security researcher Florian Roth's Sysmon config.