{
  "id": "29",
  "source": "sysmon",
  "category": "File",
  "name": "FileExecutableDetected",
  "priority": "P2",
  "applicable_version": "Sysmon with this event enabled",
  "last_reviewed": "2026-07-13",
  "definition": "Sysmon Event ID 29 records creation of a new executable file.",
  "trigger_scenarios": "Sysmon emits this event when it detects creation of a new PE-format executable file. Microsoft documents Event ID 29 as FileExecutableDetected.",
  "key_fields": [
    {
      "field": "TargetFilename",
      "explanation": "The newly detected executable file. PE files under C:\\\\Users\\\\, C:\\\\ProgramData\\\\, C:\\\\Windows\\\\Temp, or AppData are higher-risk staging locations than managed install paths."
    },
    {
      "field": "Image / ProcessGuid",
      "explanation": "Identifies the process that created the executable and provides a stable join key to Sysmon Event ID 1 for command-line and parent-process context."
    },
    {
      "field": "Hashes / Signature",
      "explanation": "Use configured hash and signature fields, when present, to triage whether the executable is known-good, unsigned, or newly observed."
    }
  ],
  "false_positives": [
    "Approved administration, management agents, and deployment tools can generate this telemetry.",
    "Baseline expected hosts, signed binaries, and change windows before suppression."
  ],
  "related_event_ids": [
    "1"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1105",
      "technique_name": "Ingress Tool Transfer"
    }
  ],
  "detection_notes": "Alert when TargetFilename is a PE executable under C:\\\\Users\\\\, C:\\\\ProgramData\\\\, C:\\\\Windows\\\\Temp, or AppData and the creating Image is a browser, script interpreter, archive utility, or remote-management process. Microsoft documents Event 29 as creation of a new PE-format executable file; MITRE T1105 covers adversaries transferring tools or files into a compromised environment. Correlate ProcessGuid to Event 1, inspect hashes/signature if available, and look for immediate Sysmon Event 1 execution or Event 3 network activity from the new file.",
  "kql_snippet": "Sysmon\n| where EventID == 29\n| project TimeGenerated, Computer, Image, ProcessGuid",
  "spl_snippet": "index=sysmon EventCode=29 | table _time, host, Image, ProcessGuid",
  "sample_log": "UtcTime: 2026-07-13 01:00:00.000\nTargetFilename: C:\\\\ProgramData\\\\stage.exe\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\nProcessGuid: {REDACTED}\nHashes: SHA256=REDACTED",
  "source_url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon",
  "route": "/sysmon-events/29/",
  "canonical_url": "https://soceventlookup.com/sysmon-events/29/",
  "json_url": "/api/events/sysmon/29.json"
}
