Restricted Software Access By SRP
Detects restricted access to applications by the Software Restriction Policies (SRP) policy
Sigma rule (View on GitHub)
1title: Restricted Software Access By SRP
2id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442
3status: test
4description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy
5references:
6 - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies
7 - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
8author: frack113
9date: 2023-01-12
10tags:
11 - attack.defense-evasion
12 - attack.t1072
13logsource:
14 product: windows
15 service: application
16detection:
17 selection:
18 Provider_Name: 'Microsoft-Windows-SoftwareRestrictionPolicies'
19 EventID:
20 - 865 # Access to %1 has been restricted by your Administrator by the default software restriction policy level
21 - 866 # Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.
22 - 867 # Access to %1 has been restricted by your Administrator by software publisher policy.
23 - 868 # Access to %1 has been restricted by your Administrator by policy rule %2.
24 - 882 # Access to %1 has been restricted by your Administrator by policy rule %2.
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Suspicious Csi.exe Usage
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern