LoFP / false positives are possible if legitimate users are launching applications that are not permitted by applocker. it is recommended to investigate the context of the application launch to determine if it is malicious or not. modify the threshold as needed to reduce false positives.

Techniques

• T1218

Sample rules

Windows AppLocker Rare Application Launch Detection

• source: splunk
• technicques:
  • T1218

Description

This analytic is designed to detect the launch of applications that occur rarely within the environment, which could indicate the use of potentially malicious software or tools by attackers. It works by aggregating the count of application launches over time, then calculating the average and standard deviation of these counts. Applications whose launch counts significantly deviate from the norm, either by exceeding or falling below three standard deviations from the average, are flagged for further investigation. This approach helps in identifying unusual application activity that could be indicative of a security threat.

Detection logic

`applocker` 
| spath input=UserData_Xml 
| rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user 
| stats dc(_time) as days, count by FullFilePath dest user 
| eventstats avg(count) as avg, stdev(count) as stdev 
| eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3) 
| where count > upperBound OR count < lowerBound 
| `windows_applocker_rare_application_launch_detection_filter`