title: Sysmon Blocked Executable
id: 23b71bc5-953e-4971-be4c-c896cda73fc2
status: experimental
description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set
references:
    - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/16
modified: 2022/09/12
tags:
    - attack.defense_evasion
logsource:
    product: windows
    category: file_block  # make sure to have an appropriate mapping for this category
detection:
    selection:
        EventID: 27  # this is fine, we want to match any block event
    condition: selection
falsepositives:
    - Unlikely
level: high