Techniques
Sample rules
Windows AppLocker Rare Application Launch Detection
- source: splunk
- technicques:
- T1218
Description
This analytic is designed to detect the launch of applications that occur rarely within the environment, which could indicate the use of potentially malicious software or tools by attackers. It works by aggregating the count of application launches over time, then calculating the average and standard deviation of these counts. Applications whose launch counts significantly deviate from the norm, either by exceeding or falling below three standard deviations from the average, are flagged for further investigation. This approach helps in identifying unusual application activity that could be indicative of a security threat.
Detection logic
`applocker`
| spath input=UserData_Xml
| rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user
| stats dc(_time) as days, count by FullFilePath dest user
| eventstats avg(count) as avg, stdev(count) as stdev
| eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3)
| where count > upperBound OR count < lowerBound
| `windows_applocker_rare_application_launch_detection_filter`