This detection rule is designed to monitor and alert on the creation of Portable Executable (PE) files within Windows environments by utilizing Microsoft Sysinternals Sysmon. Specifically, it triggers on the Sysmon event identified by Event ID 29, which corresponds to the File Executable Detected event. Sysmon is a system monitoring tool that records detailed information about system activities and is beneficial for detecting various types of suspicious behavior, particularly in the context of threat detection and incident response. The rule captures instances where executables are created—a common tactic employed by attackers to execute malicious payloads. Given the prevalence of executable files in both routine operations and potential attacks, monitoring their creation is vital for early detection of intrusions, especially in environments with unknown or unauthorized executables. The rule has been established to minimize false positives, indicating that legitimate activity is unlikely to trigger an alert.