new: AppLocker Audit Mode - Application or Script Would Have Been Blo…

[heyyanu]

…cked - closes #767
Summary
Adds a new detection rule for AppLocker audit mode events where applications,
scripts or DLLs would have been blocked if AppLocker was enforced.

Covers Event IDs:

• 8003: EXE and DLL would have been blocked
• 8006: MSI and Script would have been blocked
• 8023: Packaged app execution would have been blocked
• 8024: Packaged app deployment would have been blocked

Related Issue
Closes #767

MITRE ATT&CK

• T1204.002 - Malicious File
• T1059.001 - PowerShell
• T1562.001 - Defense Evasion

[YamatoSecurity]

@heyyanu Thanks for creating a rule for this! I noticed that there is a rule in the upstream sigma repository for blocking and this rule seems very similar so what about submitting to the upstream sigma repo?

[heyyanu]

@YamatoSecurity The rule has been added to the sigma folder.
Please let me know if any changes are needed!

[YamatoSecurity]

@heyyanu So this repository is only for adding rules to the hayabusa folder. Upstream sigma rules from https://github.com/SigmaHQ/sigma are automatically synced to the sigma folder. Everything gets replaced so if you do a PR to the sigma folder it will get deleted on next sync. If you want to contribute a rule as a Hayabusa rule instead, you need to place it in the hayabusa folder. But only Hayabusa users would benefit so if you want to contribute to Sigma then submitting a PR to https://github.com/SigmaHQ/sigma is better. Once merged, it will be added here to use with Hayabusa.

[heyyanu]

@YamatoSecurity Thank you for the detailed explanation!
I will submit the PR to SigmaHQ/sigma so everyone can benefit.