heroui logo

Windows Impair Defense Add Xml Applocker Rules

Splunk Security Content

View Source
Summary
This detection rule monitors for the execution of PowerShell commands that may indicate an attempt to import an AppLocker XML policy, specifically the commands "Import-Module Applocker" and "Set-AppLockerPolicy -XMLPolicy". Such behavior is significant as it can suggest a malicious attempt to bypass or disable security controls, a tactic sometimes associated with malware like Azorult. By capturing these process executions, security teams can identify potential threats where attackers may seek to disable antivirus functionalities, facilitating further compromises within the target environment. The detection leverages various data sources including Sysmon events and Windows event logs related to process creation, focusing on those that meet specific string patterns indicative of such commands. Implementation involves ensuring that data from endpoint agents is correctly ingested and mapped to the Splunk Common Information Model for effective alerting and analysis.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
  • Process
  • Windows Registry
  • Application Log
  • Logon Session
ATT&CK Techniques
  • T1562.001
  • T1562
Created: 2024-11-13