Sysmon Event ID 27

Source

27: File Block Executable

This is an event from Sysmon.

On this page

Description of this event
Field level details
Examples

This is another event associated with Sysmon's more recent foray into actively blocking certain activitiies - not just reporting them. In this case, it's about preventing the creation of new PE files (i.e. DLLs and EXEs). Sysmon monitors the creation of new files and once they are closed it examines the beginning of the file to see if it matches the PE header file format. And if so it deletes the file! Of course it's important to configure Sysmon rules so that you still allow legitimate PE file creation such as for Windows updates.

If you just want to detect the creation of new PE files see Event ID 29.

Free Security Log Resources by Randy

Description Fields in 27

Log Name
Source
Date
Event ID
Task Category
Level
Keywords
User
Computer
Description
RuleName
UtcTime
ProcessGuid
ProcessId
User
Image
TargetFilename
Hashes

Supercharger Enterprise

Examples of 27

Log Name:       Microsoft-Windows-Sysmon/Operational
Source:         Microsoft-Windows-Sysmon
Date:           4/15/2024 8:57:35 PM
Event ID:       27
Task Category: File Block Executable (rule: FileBlockExecutable)
Level:          Information
Keywords:
User:           SYSTEM
Computer: dc1.Win2022.local
Description: File Block Executable:
RuleName: -
UtcTime: 2024-04-16 03:57:35.123
ProcessGuid: {8a1a452d-2087-65de-9204-000000000500}
ProcessId: 516
User: win2022\administrator
Image: C:\Windows\Explorer.EXE
TargetFilename: C:\junk\SysmonSimulator.exe
Hashes: SHA1=EF74041A282B70791E828D163ECB8E8A40EEF57D,MD5=7D9F7D00B860D60518B5A30341D1FA50,SHA256=CB3CB255C47086D2737267F64E7C16871CDA2FCFA47B6693FA07328F8AC8C2EE,IMPHASH=0926EA6C31491D5DC172FBA45DA92A3A

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
  <EventID>27</EventID>
  <Version>5</Version>
    <Level>4</Level>
    <Task>27</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2024-02-27T17:48:55.9824794Z" />
    <EventRecordID>1051</EventRecordID>
    <Correlation />
    <Execution ProcessID="9596" ThreadID="11128" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>dc1.Win2022.local</Computer>
    <Security UserID="S-1-5-18" />
</System>
<EventData>
  <Data Name="RuleName">-</Data>
<Data Name="UtcTime">2024-02-27 17:48:55.967</Data>
<Data Name="ProcessGuid">{8a1a452d-2087-65de-9204-000000000500}</Data>
<Data Name="ProcessId">516</Data>
  <Data Name="User">win2022\administrator</Data>
<Data Name="Image">C:\Windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\junk\SysmonSimulator.exe</Data>
<Data Name="Hashes">SHA1=EF74041A282B70791E828D163ECB8E8A40EEF57D,MD5=7D9F7D00B860D60518B5A30341D1FA50,SHA256=CB3CB255C47086D2737267F64E7C16871CDA2FCFA47B6693FA07328F8AC8C2EE,IMPHASH=0926EA6C31491D5DC172FBA45DA92A3A</Data>
</EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 27

Upcoming Webinars

Shining a Light on the Hidden Risks of Non-Human Identities

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2025 Patch Tuesday	"Patch Tuesday - One Zero Day! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.