LoFP / unlikely, since this event notifies about blocked application execution. tune your applocker rules to avoid blocking legitimate applications.

Techniques

• t1059
• t1059.001
• t1059.003
• t1059.005
• t1059.006
• t1059.007
• t1204
• t1204.002

Sample rules

AppLocker Prevented Application or Script from Running

• source: sigma
• technicques:
  • t1059
  • t1059.001
  • t1059.003
  • t1059.005
  • t1059.006
  • t1059.007
  • t1204
  • t1204.002

Description

Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Detection logic

condition: selection
selection:
  EventID:
  - 8004
  - 8007
  - 8022
  - 8025