splApache-2.0from splunk/security_content
Windows AppLocker Execution from Uncommon Locations
The following analytic identifies the execution of applications or scripts from uncommon or suspicious file paths, potentially indicating malware or unauthorized activity. It leverages Windows AppLocker event logs and uses statistical analysis to detect anomalies. By calculating the average and standard deviation of execution counts per file path, it flags paths with execution counts significantly higher than expected. This behavior is significant as it can uncover malicious activities or policy violations. If confirmed malicious, this activity could allow attackers to execute unauthorized code, leading to potential system compromise or data breaches.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_applocker_execution_from_uncommon_locations.yml
`applocker`
| spath input=UserData_Xml
| rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest, PolicyName, RuleId,
user, TargetProcessId, FilePath,
FullFilePath
| eventstats avg(count) as avg, stdev(count) as stdev
| eval upperBound=(avg+stdev*2), anomaly=if(count > upperBound, "Yes", "No")
| where anomaly="Yes"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_applocker_execution_from_uncommon_locations_filter`