SigmaHQ/rules/windows/process_creation/win_possible_applocker_bypass.yml

title: Possible Applocker Bypass
id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719
description: Detects execution of executables that can be used to bypass Applocker whitelisting
status: experimental
references:
    - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
    - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
author: juju4
date: 2019/01/16
modified: 2020/09/01
tags:
    - attack.defense_evasion
    - attack.t1118          # an old one
    - attack.t1218.004
    - attack.t1121          # an old one
    - attack.t1218.009
    - attack.t1127          # an old one
    - attack.t1127.001
    - attack.t1170          # an old one
    - attack.t1218.005
    - attack.t1218 # no way to map 1:1, so the technique level is required
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '\msdt.exe'
            - '\installutil.exe'
            - '\regsvcs.exe'
            - '\regasm.exe'
            # - '\regsvr32.exe'  # too many FPs, very noisy
            - '\msbuild.exe'
            - '\ieexec.exe'
            #- '\mshta.exe'
            #- '\csc.exe'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
    - Using installutil to add features for .NET applications (primarily would occur in developer environments)
level: low
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`title: Possible Applocker Bypass`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`description: Detects execution of executables that can be used to bypass Applocker whitelisting`
			`status: experimental`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt`
			`- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`author: juju4`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2019/01/16`
review windows/process_creation part 4 2020-09-02 00:34:34 +00:00			`modified: 2020/09/01`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`tags:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- attack.defense_evasion`
review windows/process_creation part 4 2020-09-02 00:34:34 +00:00			`- attack.t1118 # an old one`
			`- attack.t1218.004`
			`- attack.t1121 # an old one`
			`- attack.t1218.009`
			`- attack.t1127 # an old one`
			`- attack.t1127.001`
			`- attack.t1170 # an old one`
			`- attack.t1218.005`
			`- attack.t1218 # no way to map 1:1, so the technique level is required`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
add modifiers 2019-11-07 22:34:30 +00:00			`CommandLine\|contains:`
			`- '\msdt.exe'`
			`- '\installutil.exe'`
			`- '\regsvcs.exe'`
			`- '\regasm.exe'`
			`# - '\regsvr32.exe' # too many FPs, very noisy`
			`- '\msbuild.exe'`
			`- '\ieexec.exe'`
Improved rules Reduced false positives 2019-11-08 22:46:41 +00:00			`#- '\mshta.exe'`
			`#- '\csc.exe'`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`condition: selection`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- False positives depend on scripts and administrative tools used in the monitored environment`
fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00			`- Using installutil to add features for .NET applications (primarily would occur in developer environments)`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: low`