← Library
splApache-2.0from splunk/security_content

Windows AppLocker Block Events

The following analytic detects attempts to bypass application restrictions by identifying Windows AppLocker policy violations. It leverages Windows AppLocker event logs, specifically EventCodes 8007, 8004, 8022, 8025, 8029, and 8040, to pinpoint blocked actions. This activity is significant for a SOC as it highlights potential unauthorized application executions, which could indicate malicious intent or policy circumvention. If confirmed malicious, this activity could allow an attacker to execute unauthorized applications, potentially leading to further system compromise or data exfiltration.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_applocker_block_events.yml
`applocker`  EventCode IN (8007, 8004, 8022, 8025, 8029, 8040)
  | spath input=UserData_Xml
  | rename RuleAndFileData.* as *, TargetUser as user, Computer as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest, PolicyName, RuleId,
       user, TargetProcessId, FilePath,
       FullFilePath, EventCode
  | lookup applockereventcodes EventCode OUTPUT Description
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_applocker_block_events_filter`