Sysmon is a free tool from Microsoft Sysinternals that provides granular and detailed logging of not only Windows process and file activity, but Linux as well. It has empowered users and businesses of all sizes to gain more visibility into their networks. Sysmon has now added the ability to block the creation of executables defined in various ways, such as hashes, file paths, or parent process. This new capability further empowers organizations to be proactive about security.
There are high-quality community-sourced configurations for Sysmon to assist with implementation. Security Researcher @SwiftOnSecurity maintains a GitHub repository named sysmon-config that provides solid default configurations that can be tuned to meet users’ needs: https://github.com/SwiftOnSecurity/sysmon-config
In addition, security researcher Florian Roth maintains a fork of that repository, which fixes issues in the original sysmon-config repository as well as extends the functionality of the configuration files to include support for new extensions and updates to Sysmon: https://github.com/Neo23x0/sysmon-config
The official documentation of Sysmon is not comprehensive, but is still recommended for reading: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
The addition of the blocking feature is a victory for enabling security and system administration teams of any size to better defend their networks as a supplement to other defense in depth security controls and solutions. However, just like any layer of a Defense in Depth (DiD) strategy, the feature can be evaded in isolation. Adam Chester, a TrustedSec security researcher, has demonstrated a method of bypassing this new Sysmon feature in a pair of Tweets: https://twitter.com/_xpn_/status/1559647342441254922
Another great resource for Sysmon information is Olaf Hartong, a security researcher who has a number of blog posts diving into Sysmon usage and functionality: https://medium.com/@olafhartong