Techniques
Sample rules
Windows AppLocker Block Events
- source: splunk
- technicques:
- T1218
Description
The following analytic utilizes Windows AppLocker event logs to generate risk based on blocks related to AppLocker policy violations. The analytic is designed to identify attempts to bypass application restrictions.
Detection logic
`applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040)
| spath input=UserData_Xml
| rename RuleAndFileData.* as *, TargetUser as user, Computer as dest
| lookup applockereventcodes EventCode OUTPUT Description
| stats count min(_time) as firstTime max(_time) as lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_applocker_block_events_filter`