Threat Watch

Sysmon v14.0 Update Allows Blocking of Malicious Executable Files

Sysmon is a free tool from Microsoft Sysinternals that provides granular and detailed logging of not only Windows process and file activity, but Linux as well. It has empowered users and businesses of all sizes to gain more visibility into their networks. Sysmon has now added the ability to block the creation of executables defined in various ways, such as hashes, file paths, or parent process. This new capability further empowers organizations to be proactive about security.

There are high-quality community-sourced configurations for Sysmon to assist with implementation. Security Researcher @SwiftOnSecurity maintains a GitHub repository named sysmon-config that provides solid default configurations that can be tuned to meet users’ needs:

In addition, security researcher Florian Roth maintains a fork of that repository, which fixes issues in the original sysmon-config repository as well as extends the functionality of the configuration files to include support for new extensions and updates to Sysmon:


The official documentation of Sysmon is not comprehensive, but is still recommended for reading:

The addition of the blocking feature is a victory for enabling security and system administration teams of any size to better defend their networks as a supplement to other defense in depth security controls and solutions. However, just like any layer of a Defense in Depth (DiD) strategy, the feature can be evaded in isolation. Adam Chester, a TrustedSec security researcher, has demonstrated a method of bypassing this new Sysmon feature in a pair of Tweets:

Another great resource for Sysmon information is Olaf Hartong, a security researcher who has a number of blog posts diving into Sysmon usage and functionality: