Possible Applocker Bypass

Detects execution of executables that can be used to bypass Applocker whitelisting

Rule Content

- title: Possible Applocker Bypass
  id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719
  description: Detects execution of executables that can be used to bypass Applocker
    whitelisting
  status: experimental
  references:
  - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
  - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
  author: juju4
  tags:
  - attack.defense_evasion
  - attack.t1118
  - attack.t1121
  - attack.t1127
  - attack.t1170
  logsource:
    category: process_creation
    product: windows
    service: null
  detection:
    selection:
      CommandLine|contains:
      - \msdt.exe
      - \installutil.exe
      - \regsvcs.exe
      - \regasm.exe
      - \msbuild.exe
      - \ieexec.exe
    condition: selection
  falsepositives:
  - False positives depend on scripts and administrative tools used in the monitored
    environment
  - Using installutil to add features for .NET applications (primarly would occur
    in developer environments)
  level: low

Querying Elasticsearch

Import Libraries


In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client


In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query


In [ ]:
s = searchContext.query('query_string', query='process_command_line.keyword:(*\\msdt.exe* OR *\\installutil.exe* OR *\\regsvcs.exe* OR *\\regasm.exe* OR *\\msbuild.exe* OR *\\ieexec.exe*)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results


In [ ]:
df.head()