SigmaHQ/rules/windows/process_creation/win_possible_applocker_bypass.yml

33 lines
1.1 KiB
YAML

title: Possible Applocker Bypass
description: Detects execution of executables that can be used to bypass Applocker whitelisting
status: experimental
references:
- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
author: juju4
tags:
- attack.defense_evasion
- attack.t1118
- attack.t1121
- attack.t1127
- attack.t1170
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*\msdt.exe*'
- '*\installutil.exe*'
- '*\regsvcs.exe*'
- '*\regasm.exe*'
# - '*\regsvr32.exe*' # too many FPs, very noisy
- '*\msbuild.exe*'
- '*\ieexec.exe*'
- '*\mshta.exe*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
- Using installutil to add features for .NET applications (primarly would occur in developer environments)
level: low