diff --git a/rules/windows/sysmon/sysmon_file_block_shredding.yml b/rules/windows/sysmon/sysmon_file_block_shredding.yml
new file mode 100644
index 000000000..850eb0824
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_file_block_shredding.yml
@@ -0,0 +1,20 @@
+title: Sysmon Blocked File Shredding
+id: c3e5c1b1-45e9-4632-b242-27939c170239
+status: experimental
+description: Triggers on any Sysmon file block shredding event. Which should indicates a violation of the shredding policy set
+references:
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
+author: frack113
+date: 2023/07/20
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 28  # this is fine, we want to match any FileBlockShredding event
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules/windows/sysmon/sysmon_file_executable.yml b/rules/windows/sysmon/sysmon_file_executable.yml
new file mode 100644
index 000000000..6e8062620
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_file_executable.yml
@@ -0,0 +1,21 @@
+title: Sysmon File Executable Detected
+id: 693a44e9-7f26-4cb6-b787-214867672d3a
+status: experimental
+description: Triggers on any Sysmon file executable event. Which should indicates a violation of the shredding policy set
+references:
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
+    - https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
+author: frack113
+date: 2023/07/20
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 29  # this is fine, we want to match any FileBlockShredding event
+    condition: selection
+falsepositives:
+    - Unlikely
+level: medium