SOC Event Lookup
Event ID 27FileP3

Sysmon Event ID 27: FileBlockExecutable

Sysmon Event ID 27 records that Sysmon detected and blocked creation of a PE-format executable file.

Applicable version
Sysmon with this event enabled
Last reviewed
2026-07-13

Trigger Scenarios

Microsoft documents that this event is generated when Sysmon detects and blocks creation of executable files in PE format.

Key Fields

TargetFilename

The attempted executable path. User-writable locations are higher risk than managed installer directories.

Image / ProcessGuid

The process that attempted to create the executable and the join key to Event ID 1.

Hashes

Use hash values, when present, to identify the blocked executable and compare against malware intelligence.

Common False Positives

  • Software installers, developer tools, and Windows updates can legitimately create PE files.
  • Blocking rules must be tuned carefully to avoid interrupting approved update and build workflows.

Related Events

MITRE ATT&CK Mapping

  • T1105Ingress Tool Transfer

Detection Notes

Alert when TargetFilename is a PE file under C:\Users\, C:\ProgramData\, C:\Windows\Temp, or AppData and Image is a browser, archive utility, PowerShell, or script host. Microsoft documents Event 27 as blocked PE-format executable creation; this supports T1105 Ingress Tool Transfer when the attempted file is a transferred tool or payload. Correlate ProcessGuid to Event 1 and look for alternate staging through Event 15 ADS or Event 29 executable detection.

Microsoft Sentinel KQL
Sysmon
| where EventID == 27
| project TimeGenerated, Computer, Image, TargetFilename, Hashes, ProcessGuid
Splunk SPL
index=sysmon EventCode=27 | table _time, host, Image, TargetFilename, Hashes, ProcessGuid
Sample Log
UtcTime: 2026-07-13 03:06:00.000
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\ProgramData\stage.exe
Hashes: SHA256=REDACTED
ProcessGuid: {REDACTED}

Source