From 012ed4cd7da63ea38e5081512aa0ecf69f9b034f Mon Sep 17 00:00:00 2001
From: juju4 <juju4@users.noreply.github.com>
Date: Sun, 13 Aug 2017 16:20:01 -0400
Subject: [PATCH] Detects execution of executables that can be used to bypass
 Applocker whitelisting

---
 .../builtin/win_possible_applocker_bypass.yml | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/windows/builtin/win_possible_applocker_bypass.yml

diff --git a/rules/windows/builtin/win_possible_applocker_bypass.yml b/rules/windows/builtin/win_possible_applocker_bypass.yml
new file mode 100644
index 000000000..f47c85e7f
--- /dev/null
+++ b/rules/windows/builtin/win_possible_applocker_bypass.yml
@@ -0,0 +1,29 @@
+title: Detects Possible Applocker Bypass
+description: Detects execution of executables that can be used to bypass Applocker whitelisting
+status: experimental
+reference:
+    - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
+    - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
+author: juju4
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        CommandLine: 
+            - '*\msdt.exe*'
+            - '*\installutil.exe*'
+            - '*\regsvcs.exe*'
+            - '*\regasm.exe*'
+            - '*\regsvr32.exe*'
+            - '*\msbuild.exe*'
+            - '*\ieexec.exe*'
+            - '*\mshta.exe*'
+            # higher risk of false positives
+#            - '*\cscript.EXE*'
+    condition: selection
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium