5 min read

Deploy, Test, Monitor: Mastering Microsoft AppLocker (Part 2)

Part 2 of the AppLocker series focusing on testing your policies, monitoring for bypasses, and building detection coverage in Splunk.

applocker whitelisting bypass detection splunk atomic-testing

Originally published on the Splunk Security Blog
Read the full article: Mastering Microsoft AppLocker Part 2

Testing Your AppLocker Policies

Deploying AppLocker isn’t enough—you need to test it against real attack techniques.

Atomic Testing Approach

Use Atomic Red Team to validate your policies:

# Test execution from user-writable locations
Invoke-AtomicTest T1204.002 -TestNumbers 1

# Test script execution
Invoke-AtomicTest T1059.001 -TestNumbers 1

Common Bypass Techniques to Test

1. Living Off the Land Binaries (LOLBins)

Many built-in Windows tools can execute code:

# MSBuild bypass
msbuild.exe malicious.csproj

# InstallUtil bypass
InstallUtil.exe /logfile= /LogToConsole=false /U malicious.dll

2. Trusted Directories

Attackers look for writable paths within trusted directories.

3. DLL Hijacking

If DLL rules aren’t enabled, attackers can load malicious DLLs.

Splunk Detection Queries

AppLocker Blocks

index=windows source="WinEventLog:Microsoft-Windows-AppLocker/*" EventCode=8004
| stats count by FilePath, UserName, Computer
| sort -count

Potential Bypass Attempts

index=windows source="WinEventLog:Microsoft-Windows-AppLocker/*"
| search FilePath="*\\Users\\*" OR FilePath="*\\Temp\\*"
| stats count by FilePath, RuleName

LOLBin Execution

index=sysmon EventCode=1 
  (Image="*msbuild.exe" OR Image="*installutil.exe" OR Image="*regsvr32.exe")
  ParentImage!="*Visual Studio*"
| table _time, Computer, User, Image, CommandLine

Continuous Monitoring

AppLocker isn’t set-and-forget. Build dashboards that show:

  • Block events over time
  • Most blocked applications
  • Users triggering blocks
  • Potential bypass indicators

Read the full guide: Mastering Microsoft AppLocker Part 2

Related Modules