Detection rules › Sigma
AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
MITRE ATT&CK coverage
Event coverage
| Provider | Event | Title |
|---|---|---|
| AppLocker | Event ID 8004 | FilePathBuffer was prevented from running. |
| AppLocker | Event ID 8007 | FilePathBuffer was prevented from running. |
| AppLocker | Event ID 8022 | PackageBuffer was prevented from running. |
| AppLocker | Event ID 8025 | PackageBuffer was prevented from running. |
Rule body yaml
title: AppLocker Prevented Application or Script from Running
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
status: test
description: |
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
author: Pushkarev Dmitry
date: 2020-06-28
modified: 2025-12-03
tags:
- attack.execution
- attack.t1204.002
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.006
- attack.t1059.007
logsource:
product: windows
service: applocker
detection:
selection:
EventID:
- 8004 # EXE and DLL
- 8007 # MSI and Script
- 8022 # Packaged app execution
- 8025 # Packaged app deployment
condition: selection
falsepositives:
- Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
Stages and Predicates
Stage 0: condition
selectionStage 1: selection
selection:
EventID:
- 8004
- 8007
- 8022
- 8025