AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
Sigma rule (View on GitHub)
1title: AppLocker Prevented Application or Script from Running
2id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
3status: test
4description: |
5 Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
6references:
7 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
8 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
9 - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
10author: Pushkarev Dmitry
11date: 2020-06-28
12modified: 2025-12-03
13tags:
14 - attack.execution
15 - attack.t1204.002
16 - attack.t1059.001
17 - attack.t1059.003
18 - attack.t1059.005
19 - attack.t1059.006
20 - attack.t1059.007
21logsource:
22 product: windows
23 service: applocker
24detection:
25 selection:
26 EventID:
27 - 8004 # EXE and DLL
28 - 8007 # MSI and Script
29 - 8022 # Packaged app execution
30 - 8025 # Packaged app deployment
31 condition: selection
32falsepositives:
33 - Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.
34level: medium
References
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- HackTool - Koadic Execution
- Powershell Executed From Headless ConHost Process
- Command Line Execution with Suspicious URL and AppData Strings