Added new rule. AppLocker
This commit is contained in:
Pushkarev Dmitry
@@ -0,0 +1,37 @@
|
||||
title: File Was Not Allowed To Run
|
||||
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
|
||||
description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1204
|
||||
- attack.t1086
|
||||
- attack.t1064
|
||||
- attack.t1035
|
||||
references:
|
||||
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
|
||||
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
|
||||
- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
|
||||
author: Pushkarev Dmitry
|
||||
date: 2020/06/28
|
||||
logsource:
|
||||
product: windows
|
||||
service: applocker
|
||||
detection:
|
||||
selection:
|
||||
EventID:
|
||||
- 8004
|
||||
- 8007
|
||||
condition: selection
|
||||
fields:
|
||||
- PolicyName
|
||||
- RuleId
|
||||
- RuleName
|
||||
- TargetUser
|
||||
- TargetProcessId
|
||||
- FilePath
|
||||
- FileHash
|
||||
- Fqbn
|
||||
falsepositives:
|
||||
- need tuning applocker or add exceptions in SIEM
|
||||
level: medium
|
||||
Reference in New Issue
Block a user