Windows restricted software access by the Software Restriction Policies
Goal
Detects instances where a user or process attempted to execute software that is restricted by Windows Software Restriction Policies (SRP).
Strategy
This detection monitors Windows event logs with the provider “Microsoft-Windows-SoftwareRestrictionPolicies” and Event IDs 865, 866, 867, 868, or 882. These events indicate that SRP blocked the execution of a program based on path rules, hash rules, certificate rules, network zone rules, or AppLocker policy.
Software Restriction Policies are security controls that help administrators define which applications can run on workstations.
Triage & Response
- Identify the
{{host}} system where Software Restriction Policy blocked application execution. - Examine the blocked application details, including file path, name, and hash values from the event.
- Determine which user account attempted to run the restricted application.
- Review process creation events to understand how the application was executed and its parent process.
- Investigate if the execution attempt originated from a remote machine by correlating with logon events.
- Check if the blocked application was being run with administrative privileges.
- Research the blocked application to determine if it’s legitimate software needed for business or potentially malicious.
- Ensure the blocked file is quarantined or deleted if confirmed malware or unauthorized tool.
- Review the user’s recent activities for evidence of potential compromise or policy violations.
