Microsoft, yesterday, released its Sysinternals Suite 2022.08.16. The new release brings with it Sysmon v14.0, AccessEnum v1.34, and Coreinfo v3.53. Find the details here. The newest version of Sysmon adds a new feature that can block processes from creating EXE or similar executable files.
The release notes for Sysmon v14.0 says:
This major update to Sysmon, an advanced host monitoring tool, adds a new event type, FileBlockExecutable that prevents processes from creating executable files in specified locations. It also includes several performance improvements and bug fixes.
Sysmon GitHub repo maintainer Olaf Hartong has explained that such a feature can help to prevent the creation of malicious files or downloading of secondary malicious payloads by malware droppers like those used in Macros, among others. He says:
Sysmon now impedes executables, based on the file header from being written to the filesystem according to the filtering criteria. This can be a very powerful feature into blocking certain programs writing malicious files to disk.
A demonstration using a simple example was also given to show how it works. In this case, Sysmon was used to block downloads:
As you can see in the image below, the downloads for all the PE files failed due to Sysmon blocking them:
You can find more details on Olaf Hartong write-up here.