title: Possible Applocker Bypass description: Detects execution of executables that can be used to bypass Applocker whitelisting status: experimental references: - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ author: juju4 tags: - attack.defense_evasion - attack.t1118 - attack.t1121 - attack.t1127 - attack.t1170 logsource: category: process_creation product: windows detection: selection: CommandLine: - '*\msdt.exe*' - '*\installutil.exe*' - '*\regsvcs.exe*' - '*\regasm.exe*' # - '*\regsvr32.exe*' # too many FPs, very noisy - '*\msbuild.exe*' - '*\ieexec.exe*' - '*\mshta.exe*' - '*\csc.exe*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment - Using installutil to add features for .NET applications (primarly would occur in developer environments) level: low