File Was Not Allowed To Run
Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
Sigma rule (View on GitHub)
1title: File Was Not Allowed To Run
2id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
3status: test
4description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
5references:
6 - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
7 - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
8 - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
9author: Pushkarev Dmitry
10date: 2020/06/28
11modified: 2021/11/27
12tags:
13 - attack.execution
14 - attack.t1204.002
15 - attack.t1059.001
16 - attack.t1059.003
17 - attack.t1059.005
18 - attack.t1059.006
19 - attack.t1059.007
20logsource:
21 product: windows
22 service: applocker
23detection:
24 selection:
25 EventID:
26 - 8004
27 - 8007
28 - 8022
29 - 8025
30 condition: selection
31fields:
32 - PolicyName
33 - RuleId
34 - RuleName
35 - TargetUser
36 - TargetProcessId
37 - FilePath
38 - FileHash
39 - Fqbn
40falsepositives:
41 - Need tuning applocker or add exceptions in SIEM
42level: medium
References
Related rules
- Scheduled task executing powershell encoded payload from registry
- MITRE BZAR Indicators for Execution
- Possible PrintNightmare Print Driver Install
- Space After Filename
- PCRE.NET Package Temp Files