Detectionmediumtest

AppLocker Prevented Application or Script from Running

Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Pushkarev DmitryCreated Sun Jun 28Updated Wed Dec 03401e5d00-b944-11ea-8f9a-00163ecd60aewindows

Log Source

Windowsapplocker

ProductWindows← raw: windows

Serviceapplocker← raw: applocker

Detection Logic

detection:
    selection:
        EventID:
            - 8004 # EXE and DLL
            - 8007 # MSI and Script
            - 8022 # Packaged app execution
            - 8025 # Packaged app deployment
    condition: selection

False Positives

Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.

References

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1204.002 · Malicious File T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.006 · Python T1059.007 · JavaScript

Rule Metadata

Rule ID

401e5d00-b944-11ea-8f9a-00163ecd60ae

Status

test

Level

medium

Type

Detection

Created

Sun Jun 28

Modified

Wed Dec 03

Author

Pushkarev Dmitry

Path

rules/windows/builtin/applocker/win_applocker_application_was_prevented_from_running.yml

Raw Tags

attack.executionattack.t1204.002attack.t1059.001attack.t1059.003attack.t1059.005attack.t1059.006attack.t1059.007

View on GitHub