Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects instances where a user or process attempted to execute software that is restricted by Windows Software Restriction Policies (SRP).

Strategy

This detection monitors Windows event logs with the provider “Microsoft-Windows-SoftwareRestrictionPolicies” and Event IDs 865, 866, 867, 868, or 882. These events indicate that SRP blocked the execution of a program based on path rules, hash rules, certificate rules, network zone rules, or AppLocker policy.

Software Restriction Policies are security controls that help administrators define which applications can run on workstations.

Triage & Response

• Identify the {{host}} system where Software Restriction Policy blocked application execution.
• Examine the blocked application details, including file path, name, and hash values from the event.
• Determine which user account attempted to run the restricted application.
• Review process creation events to understand how the application was executed and its parent process.
• Investigate if the execution attempt originated from a remote machine by correlating with logon events.
• Check if the blocked application was being run with administrative privileges.
• Research the blocked application to determine if it’s legitimate software needed for business or potentially malicious.
• Ensure the blocked file is quarantined or deleted if confirmed malware or unauthorized tool.
• Review the user’s recent activities for evidence of potential compromise or policy violations.