Techniques
Sample rules
File Was Not Allowed To Run
- source: sigma
- technicques:
- t1059
- t1059.001
- t1059.003
- t1059.005
- t1059.006
- t1059.007
- t1204
- t1204.002
Description
Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
Detection logic
condition: selection
selection:
EventID:
- 8004
- 8007
- 8022
- 8025