File Was Not Allowed To Run

Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.

Sigma rule (View on GitHub)

 1title: File Was Not Allowed To Run
 2id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
 3status: test
 4description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
 5references:
 6    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
 7    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
 8    - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
 9author: Pushkarev Dmitry
10date: 2020/06/28
11modified: 2021/11/27
12tags:
13    - attack.execution
14    - attack.t1204.002
15    - attack.t1059.001
16    - attack.t1059.003
17    - attack.t1059.005
18    - attack.t1059.006
19    - attack.t1059.007
20logsource:
21    product: windows
22    service: applocker
23detection:
24    selection:
25        EventID:
26            - 8004
27            - 8007
28            - 8022
29            - 8025
30    condition: selection
31fields:
32    - PolicyName
33    - RuleId
34    - RuleName
35    - TargetUser
36    - TargetProcessId
37    - FilePath
38    - FileHash
39    - Fqbn
40falsepositives:
41    - Need tuning applocker or add exceptions in SIEM
42level: medium

References

Related rules

to-top