← Back to Explore
sigmamediumHunting
AppLocker Application Would Have Been Blocked
Detects when AppLocker "Audit only" enforcement mode reports that an Application, DLL, Script, MSI, or Packaged-App would have been blocked if AppLocker "Enforce rules" enforcement mode was enabled.
Detection Query
selection:
EventID:
- 8003
- 8006
- 8021
- 8024
condition: selection
Author
heyyanu
Created
2026-03-26
Data Sources
windowsapplocker
Platforms
windows
References
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- https://www.splunk.com/en_us/blog/security/deploy-test-monitor-mastering-microsoft-applocker-part-2.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ee844150(v=ws.11)
Tags
attack.executionattack.t1204.002attack.t1059.001attack.t1059.003attack.t1059.005attack.t1059.006attack.t1059.007
Raw Content
title: AppLocker Application Would Have Been Blocked
id: 557e3bd3-7f21-495d-8d50-7c8bdfb8041c
status: experimental
description: |
Detects when AppLocker "Audit only" enforcement mode reports that an Application, DLL, Script, MSI, or Packaged-App would have been blocked if AppLocker "Enforce rules" enforcement mode was enabled.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- https://www.splunk.com/en_us/blog/security/deploy-test-monitor-mastering-microsoft-applocker-part-2.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ee844150(v=ws.11)
author: heyyanu
date: 2026-03-26
tags:
- attack.execution
- attack.t1204.002
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.006
- attack.t1059.007
logsource:
product: windows
service: applocker
detection:
selection:
EventID:
- 8003 # EXE and DLL would have been blocked
- 8006 # MSI and Script would have been blocked
- 8021 # Packaged app execution would have been blocked
- 8024 # Packaged app deployment would have been blocked
condition: selection
falsepositives:
- Expected during AppLocker policy testing and audit mode deployments
level: medium