Advanced Windows Security Logging with Sysinternals Sysmon 15: Tracking and Blocking PE Executable Files

Webinar Registration

The Windows Security Log has hundreds of events, but newer attacks require new monitoring capabilities. For many years Mark Russinovich and Thomas Garnier have been plugging holes in Windows native security logging by adding new events to the Sysmon utility from Sysinternals. The most recent updates to Sysmon focus on:

  • monitoring the creation of new or tampering with existing PE (portable executable) files
  • file deletion and “shredding”

These are 2 areas you just can’t monitor well with the native auditing functionality of Windows. For one thing, the native file auditing doesn’t recognize any difference between file types. In that part of Windows an Office document file is no different than a PE (i.e. EXE or DLL) – they are all just streams of bytes.

Quick note on why I’m using PE instead of EXE. Most PE files have an EXE or DLL extension but that’s really just convention. You can hide executable files with other (or no) file extension. PE refers to the internal structure and format of a file that makes it a loadable EXE or DLL.

But being able to detect when new executables appear on your file system is so important today with the variety of techniques available to attackers. As just one example, an attacker may use a Word macro to download it’s larger malicious agent in the form of a PE which it then sets up to run every time the system reboots. If we can monitor the creation of new PEs – especially by programs like Office that have no business creating them, we can disrupt attacks.

In fact, Sysmon now takes you beyond detection and actually allow you block the creation of PE files based on criteria such as current process name and target directory.

In this real training for free session, we will dive into the latest event IDs generated by Sysmon:

  • 25 - ProcessTampering
  • 26 - FileDeleteDetected
  • 27 - FileBlockExecutable
  • 28 - FileBlockShredding
  • 29 - FileExecutableDetected

And I’ll show you other new features in Sysmon including:

  • a change from device driver to protected process for added protection against adversaries
  • beyond passive detection: new active blocking ability in Sysmon

This real training for free event is sponsored by LOGbinder’s Supercharger which allows you to centrally manage native Windows Event Collection as a SIEM independent logging pipeline without the burden of agents.

This will be a technical, real training for free session so don’t miss it! Register now!

First Name:   
Last Name:   
Work Email:  
Job Title:  
How long have you been using native Windows Event Collection in production?:
How many Windows servers in your organization? :
How many Windows workstations in your organization?:

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources