Tag
high
threat
Detect PowerShell AppLocker Policy Import Activity
2 rules 1 TTPDetection of PowerShell commands to import AppLocker policy via Import-Module Applocker and Set-AppLockerPolicy, potentially used to enforce restrictive policies or disable security products like antivirus.
Splunk Enterprise +2
Azorult
applocker
powershell
defense-evasion
endpoint
2r
1t
high
advisory
Suspicious AppLocker XML Policy Import via PowerShell
2 rulesDetection of PowerShell commands used to import AppLocker XML policies, potentially indicating an attempt to bypass security controls, as observed with Azorult malware.
Splunk Enterprise +2
applocker
defense-evasion
powershell
2r
high
advisory
AppLocker Registry Modification to Deny Security Software Execution
2 rulesAttackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.
Splunk Enterprise +2
applocker
defense-evasion
registry-modification
2r