detection.wiki

Detection rules › Sigma

AppLocker Prevented Application or Script from Running

Severity
medium
Author
Pushkarev Dmitry
Source
upstream

Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell, T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1059.005 Command and Scripting Interpreter: Visual Basic, T1059.006 Command and Scripting Interpreter: Python, T1059.007 Command and Scripting Interpreter: JavaScript, T1204.002 User Execution: Malicious File

Event coverage

ProviderEvent IDTitle
AppLocker8004FilePathBuffer was prevented from running.
AppLocker8007FilePathBuffer was prevented from running.
AppLocker8022PackageBuffer was prevented from running.
AppLocker8025PackageBuffer was prevented from running.

Stages and Predicates

Stage 1: selection