Table of contents
To protect your organization in 2025, start by having the right tools, resources, and guidance. ThreatLocker has curated a list of the top policies of 2024 used by real customers and engineers to improve their endpoint security posture.
What is a ThreatLocker policy?
A ThreatLocker® policy defines actions. An application definition is a collection of file names, certificates, paths, and processes. An application policy will then define if an application can run as an administrator and how it can interact with other objects in the environment.
Additionally, there are policies in Network Control and Storage Control, which define actions for endpoint firewalls and storage locations.
Where can you find ThreatLocker policies?
You can find the right policy for your business in the list below or by browsing the ThreatLocker Portal on the Community tab under Modules. Once in, you will find policies for ThreatLocker solutions, including Application Control, Network Control, and Detect.

How are ThreatLocker policies ranked?
A ThreatLocker policy is ranked by the number of organizations that use it and its average rating out of five stars. The most popular policies available will be on display at the top of the Community page.
Below are some of the most well-received and most used ThreatLocker policies of 2024. Each plays a critical role in securing the environments of businesses globally.
The Top 10 policies in ThreatLocker Community from 2024
1) TL.EV.001 - Clear Windows Security Logs
TL.EV.001 monitors the Windows Security Log for any attempts to clear or tamper with log entries. It helps detect MITRE ATT&CK technique Indicator Removal: Clear Windows Event Logs. Hackers often clear Windows Event Logs in an attempt to hide their activity.
2) TL.AAL.004 - Block revoked AnyDesk certificate
TL.AAL.004 blocks the revoked PHILANDRO SOFTWARE GMBH certificate.
Previously, AnyDesk discovered a cybersecurity incident had occurred and published an official public statement and subsequent FAQ. AnyDesk then updated the certificate used for their executables to ensure they are coming from an official source. This occurred in late 2023/early 2024.
3) TL.MP.001 - Detection of MimiKatz Tactics
TL.MP.001 will alert you of MimiKatz is running on the system.
Mimikatz is a collection of tools designed for exploiting the Windows operating system. One of Mimikatz’s most notable abilities is stealing passwords from computers using the MITRE ATT&CK technique Access Token Manipulation.
4) TL.EV.003 - Creation of a user account
TL.EV.003 monitors the Windows Event Log and alerts you if a user account is created.
The MITRE ATT&CK technique Create Account can serve as an Indicator of Compromise (IOC) as it enables attackers to establish persistence in a compromised system.
5) TL.EV.009 - Restart from SystemSettings
TL.EV.009 monitors the Windows Event Log and alerts you if the computer is restarted using the systemsettings.exe.
Restarting a computer from the systemsettings.exe can signal an attempt at disabling security tools by booting into safe mode. This is considered an IOC and logged in MITRE ATT&CK technique Impair Defenses: Safe Mode Boot.
6) TL.NC.002 - PowerShell communication with GitHub
TL.NC.002 monitors PowerShell and will alert you if it communicates with GitHub over the network.
Cloud APIs can be incredibly powerful and provide useful tools to administrators; however, the MITRE ATT&CK technique Command and Scripting Interpreter: Cloud API outlines how they can be used by attackers.
Important Note: This policy requires the EnableDriverDomainNameParsing option.
7) TL.PAM.001 - Elevation of PowerShell
TL.PAM.001 monitors PowerShell executions and alerts you of elevation. Attackers will often attempt to elevate PowerShell to compromise a system as described in MITRE ATT&CK technique Privilege Escalation.
8) TL.EV.007 - Disable Windows Defender RTP [5001]
TL.EV.007 monitors the Windows Event Log and alerts you if “Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.”
Disabling or tampering with security software serves as a clear IOC as described in MITRE ATT&CK technique Impair Defenses: Disable or Modify Tools. Such actions signal potential malicious intent, as attackers often seek to undermine protective measures to facilitate their activities.
9) TL.EV.010 - Restart from MSConfig
TL.EV.010 monitors the Windows Event Log to determine if a computer has been rebooted using MSConfig. TL.EV.010 helps detect MITRE ATT&CK technique Impair Defenses: Safe Mode Boot. Booting into safe mode is a potential IOC because it disables most security tools.
10) TL.NC.003 - RegSvr32 communication with Internet
TL.NC.003 monitors RegSvr network connections and alerts you of any outbound traffic. TL.NC.003 helps detect MITRE ATT&CK technique Command and Scripting Interpreter: Cloud API. This can indicate potential malware is attempting to mask its communication to the internet as a cloud API.
Runner-ups for top 10 ThreatLocker® policies of 2024:
- TL.EV.040 - Enable Store Passwords Using Reversible Encryption
- TL.SC.003 - Monitor Hosts File
- Permit Active Directory Ports – Inbound
- TL.NC.001 - RDC from Public IP
- Risk Detection: Login from Anonymized IP Address
- Block Social Media Access
- TL.EV.004 - Detection of Malware (Defender)
- Risk Detection: Attacker in the Middle
- Login to Disabled Account
To learn more about ThreatLocker Community policies, book a custom demo today.