SOC Event Lookup
Event ID 29FileP2

Sysmon Event ID 29: FileExecutableDetected

Sysmon Event ID 29 records creation of a new executable file.

Applicable version
Sysmon with this event enabled
Last reviewed
2026-07-13

Trigger Scenarios

Sysmon emits this event when it detects creation of a new PE-format executable file. Microsoft documents Event ID 29 as FileExecutableDetected.

Key Fields

TargetFilename

The newly detected executable file. PE files under C:\\Users\\, C:\\ProgramData\\, C:\\Windows\\Temp, or AppData are higher-risk staging locations than managed install paths.

Image / ProcessGuid

Identifies the process that created the executable and provides a stable join key to Sysmon Event ID 1 for command-line and parent-process context.

Hashes / Signature

Use configured hash and signature fields, when present, to triage whether the executable is known-good, unsigned, or newly observed.

Common False Positives

  • Approved administration, management agents, and deployment tools can generate this telemetry.
  • Baseline expected hosts, signed binaries, and change windows before suppression.

Related Events

MITRE ATT&CK Mapping

  • T1105Ingress Tool Transfer

Detection Notes

Alert when TargetFilename is a PE executable under C:\\Users\\, C:\\ProgramData\\, C:\\Windows\\Temp, or AppData and the creating Image is a browser, script interpreter, archive utility, or remote-management process. Microsoft documents Event 29 as creation of a new PE-format executable file; MITRE T1105 covers adversaries transferring tools or files into a compromised environment. Correlate ProcessGuid to Event 1, inspect hashes/signature if available, and look for immediate Sysmon Event 1 execution or Event 3 network activity from the new file.

Microsoft Sentinel KQL
Sysmon
| where EventID == 29
| project TimeGenerated, Computer, Image, ProcessGuid
Splunk SPL
index=sysmon EventCode=29 | table _time, host, Image, ProcessGuid
Sample Log
UtcTime: 2026-07-13 01:00:00.000
TargetFilename: C:\\ProgramData\\stage.exe
Image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
ProcessGuid: {REDACTED}
Hashes: SHA256=REDACTED

Source