AppLocker Application Would Have Been Blocked

Detects when AppLocker "Audit only" enforcement mode reports that an Application, DLL, Script, MSI, or Packaged-App would have been blocked if AppLocker "Enforce rules" enforcement mode was enabled.

Sigma rule (View on GitHub)

 1title: AppLocker Application Would Have Been Blocked
 2id: 557e3bd3-7f21-495d-8d50-7c8bdfb8041c
 3status: experimental
 4description: |
 5        Detects when AppLocker "Audit only" enforcement mode reports that an Application, DLL, Script, MSI, or Packaged-App would have been blocked if AppLocker "Enforce rules" enforcement mode was enabled.
 6references:
 7    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
 8    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
 9    - https://www.splunk.com/en_us/blog/security/deploy-test-monitor-mastering-microsoft-applocker-part-2.html
10    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ee844150(v=ws.11)
11author: heyyanu
12date: 2026-03-26
13tags:
14    - attack.execution
15    - attack.t1204.002
16    - attack.t1059.001
17    - attack.t1059.003
18    - attack.t1059.005
19    - attack.t1059.006
20    - attack.t1059.007
21logsource:
22    product: windows
23    service: applocker
24detection:
25    selection:
26        EventID:
27            - 8003 # EXE and DLL would have been blocked
28            - 8006 # MSI and Script would have been blocked
29            - 8021 # Packaged app execution would have been blocked
30            - 8024 # Packaged app deployment would have been blocked
31    condition: selection
32falsepositives:
33    - Expected during AppLocker policy testing and audit mode deployments
34level: medium

References

Related rules

to-top