Skip to content
Threat Feed
medium advisory

AppLocker Audit Events Indicate Potential Policy Violations

This brief describes the detection of Windows AppLocker audit events (Event IDs 8003, 8006, 8021, 8024) that indicate applications, DLLs, scripts, MSIs, or packaged apps would have been blocked by an active AppLocker policy, providing insight into unauthorized software execution attempts or policy violations in audit mode.

This brief focuses on the detection of Windows AppLocker audit events (Event IDs 8003, 8006, 8021, 8024), which signify that applications, DLLs, scripts, MSIs, or packaged applications would have been blocked if AppLocker policies were in 'Enforce rules' mode. These events, generated while AppLocker operates in 'Audit only' mode, provide critical intelligence to security operations centers (SOCs) and detection engineers. By monitoring these specific event IDs, organizations can proactively identify potential policy violations, unauthorized software execution attempts, or even malware activity without disrupting legitimate business processes. This allows for thorough testing and refinement of AppLocker policies before full enforcement, ensuring that only intended applications are permitted while malicious or unapproved software is flagged.

Impact

When AppLocker is configured in 'Audit only' mode, no applications are actively blocked. However, the generation of these audit events (8003, 8006, 8021, 8024) provides invaluable insight into what would have been blocked under an enforced policy. The primary impact is the ability to thoroughly test and refine AppLocker policies without user disruption, which can reveal widespread usage of unsanctioned applications or previously undetected malware. Failure to monitor these audit events means losing a crucial opportunity to identify potential attack vectors, unauthorized software installations, or attempts by adversaries to execute malicious code, all of which would lead to successful execution if the policies were later enforced without prior tuning. This capability allows security teams to proactively strengthen their application control posture and prevent future breaches.

Recommendation

  • Deploy the Sigma rule "AppLocker Application Would Have Been Blocked" to your SIEM solution to identify potential policy violations in AppLocker audit mode.
  • Ensure that Windows AppLocker event logging for Microsoft-Windows-AppLocker/EXE and DLL and Microsoft-Windows-AppLocker/MSI and Script is enabled and forwarded to your central logging system.
  • Tune the deployed Sigma rule for the specific logsource and expected false positives within your environment, especially during AppLocker policy testing phases.

Detection coverage 1

AppLocker Application Would Have Been Blocked

medium

Detects when AppLocker audit mode reports that an application, DLL, script, MSI, or packaged app would have been blocked by an active AppLocker policy.

sigma tactics: execution techniques: T1059.001, T1059.003, T1059.005, T1059.006, T1059.007, T1204.002 sources: event_logging, windows, applocker

Detection queries are available on the platform. Get full rules →