Sysmon Event ID 27: FileBlockExecutable
Sysmon Event ID 27 records that Sysmon detected and blocked creation of a PE-format executable file.
- Applicable version
- Sysmon with this event enabled
- Last reviewed
- 2026-07-13
Trigger Scenarios
Microsoft documents that this event is generated when Sysmon detects and blocks creation of executable files in PE format.
Key Fields
TargetFilename
The attempted executable path. User-writable locations are higher risk than managed installer directories.
Image / ProcessGuid
The process that attempted to create the executable and the join key to Event ID 1.
Hashes
Use hash values, when present, to identify the blocked executable and compare against malware intelligence.
Common False Positives
- Software installers, developer tools, and Windows updates can legitimately create PE files.
- Blocking rules must be tuned carefully to avoid interrupting approved update and build workflows.
Related Events
MITRE ATT&CK Mapping
- T1105Ingress Tool Transfer
Detection Notes
Alert when TargetFilename is a PE file under C:\Users\, C:\ProgramData\, C:\Windows\Temp, or AppData and Image is a browser, archive utility, PowerShell, or script host. Microsoft documents Event 27 as blocked PE-format executable creation; this supports T1105 Ingress Tool Transfer when the attempted file is a transferred tool or payload. Correlate ProcessGuid to Event 1 and look for alternate staging through Event 15 ADS or Event 29 executable detection.
Sysmon
| where EventID == 27
| project TimeGenerated, Computer, Image, TargetFilename, Hashes, ProcessGuidindex=sysmon EventCode=27 | table _time, host, Image, TargetFilename, Hashes, ProcessGuidUtcTime: 2026-07-13 03:06:00.000
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\ProgramData\stage.exe
Hashes: SHA256=REDACTED
ProcessGuid: {REDACTED}