SigmaHQ/rules/windows/process_creation/win_possible_applocker_bypass.yml

title: Possible Applocker Bypass
description: Detects execution of executables that can be used to bypass Applocker whitelisting
status: experimental
references:
    - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
    - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
author: juju4
tags:
    - attack.defense_evasion
    - attack.t1118
    - attack.t1121
    - attack.t1127
    - attack.t1170
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - '*\msdt.exe*'
            - '*\installutil.exe*'
            - '*\regsvcs.exe*'
            - '*\regasm.exe*'
            # - '*\regsvr32.exe*'  # too many FPs, very noisy
            - '*\msbuild.exe*'
            - '*\ieexec.exe*'
            - '*\mshta.exe*'
            - '*\csc.exe*'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
    - Using installutil to add features for .NET applications (primarly would occur in developer environments)
level: low
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`title: Possible Applocker Bypass`
			`description: Detects execution of executables that can be used to bypass Applocker whitelisting`
			`status: experimental`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt`
			`- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`author: juju4`
			`tags:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- attack.defense_evasion`
atc review 2019-03-06 04:25:12 +00:00			`- attack.t1118`
			`- attack.t1121`
			`- attack.t1127`
			`- attack.t1170`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
			`CommandLine:`
			`- '\msdt.exe'`
			`- '\installutil.exe'`
			`- '\regsvcs.exe'`
			`- '\regasm.exe'`
rule: adjusted very noisy rule on AppLocker whitelist bypass 2019-10-22 10:32:31 +00:00			`# - '\regsvr32.exe' # too many FPs, very noisy`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- '\msbuild.exe'`
			`- '\ieexec.exe'`
			`- '\mshta.exe'`
Update win_possible_applocker_bypass.yml 2019-10-21 21:54:29 +00:00			`- '\csc.exe'`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`condition: selection`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- False positives depend on scripts and administrative tools used in the monitored environment`
			`- Using installutil to add features for .NET applications (primarly would occur in developer environments)`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: low`