AppLockerEventlog – Script For Fetching Applocker Event Log By Parsing The Win-Event Log

AVvXsEhi4MMvYJurLn0dsN6dh8oYjYID1 WaUVMvpqTGyjwAdUkm9OugY8 Cz3KicNXHHhMRT4 Scx b8iPl SKLYyNogpNyAWwvRThXhMA8SjYQoxa1zS6Img9NOHNZqc1orumI1kEwP6oIiIYKl6lPDTdg2Penw11UZmuV0PNe8TGGz7Kk80hxp 2wimjlrQ=w640 h258

This script will parse all the channels of events from the win-event log to extract all the log relatives to AppLocker. The script will gather all the important pieces of information relative to the events for forensic or threat-hunting purposes, or even in order to troubleshoot. Here are the logs we fetch from win-event:

  • EXE and DLL,
  • MSI and Script,
  • Packaged app-Deployment,
  • Packaged app-Execution.

The output:

AVvXsEjIvj6wuy7 6rA5s1cASxwAaCAzCJoEQZVxGYTCGF11mx4nk2u3 TYlu2PXxd0Dm6Rh hx62BPRQx8P4qneEmMyk2 8xal2Fige6aZeMBsSPz2BU6ncGsHqKIMhREcz61LbB3SPiNwY3O4KnkqySYqDEmRzLQcWM4kGCTHhdyW0QH5S9kdj8PGhWboU2g=w640 h262

The juicy and useful information you will get with this script are:

  • FileType,
  • EventID,
  • Message,
  • User,
  • Computer,
  • EventTime,
  • FilePath,
  • Publisher,
  • FileHash,
  • Package
  • RuleName,
  • LogName,
  • TargetUser.

PARAMETERS

HunType

This parameter specifies the type of events you are interested in, there are 04 values for this parameter:

1. All

This gets all the events of AppLocker that are interesting for threat-hunting, forensic or even troubleshooting. This is the default value.

.\Get-AppLockerEventlog.ps1 -HunType All

AVvXsEi6xiSf9iT51Esi9yN72 iKlQfLjqOYMPfn8EMHnaM8BpXtEUMGUxnkS4MQRd2IdlAQz9tSysiFRr5fYMMKnyWREufg A7q3AAnGugXgVxKVWv9nsxR8jdPAGIkbXcnOffAGkhBTV4gRZz0R1iTyjhYa2wCkGmmvQnzQkH0fCgd5UPq8RCNwJWIStgcng=w640 h162

2. Block

This gets all the events that are triggered by the action of blocking an application by AppLocker, this type is critical for threat-hunting or forensics, and comes with high priority, since it indicates malicious attempts, or could be a good indicator of prior malicious activity in order to evade defensive mechanisms.

.\Get-AppLockerEventlog.ps1 -HunType Block |Format-Table -AutoSize

AVvXsEgIhZ62jM57tuUacF yfE468e7OOiAQCHOR 47tB99pgYTTpNLqrweutzWjRrATJAXvH2gsngXtJqjvKCJtFZYSVjg ppeUhbVJ4lnkU6EMASSuIeQc9Uu2iPhPAfgLtVpCHBztwqkbyvLD0PbtjLVAAjRwz8r68TZIbz79oidiqY2urgMlcT3W7dOUlA=w640 h118

3. Allow

This gets all the events that are triggered by the action of Allowing an application by AppLocker. For threat-hunting or forensics, even the allowed applications should be monitored, in order to detect any possible bypass or configuration mistakes.

.\Get-AppLockerEventlog.ps1 -HunType Allow | Format-Table -AutoSize

AVvXsEhi4MMvYJurLn0dsN6dh8oYjYID1 WaUVMvpqTGyjwAdUkm9OugY8 Cz3KicNXHHhMRT4 Scx b8iPl SKLYyNogpNyAWwvRThXhMA8SjYQoxa1zS6Img9NOHNZqc1orumI1kEwP6oIiIYKl6lPDTdg2Penw11UZmuV0PNe8TGGz7Kk80hxp 2wimjlrQ=w640 h258

4. Audit

This gets all the events generated when AppLocker would block the application if the enforcement mode were enabled (Audit mode). For threat-hunting or forensics, this could indicate any configuration mistake, neglect from the admin to switch the mode, or even a malicious action that happened in the audit phase (tuning phase).

 .\Get-AppLockerEventlog.ps1 -HunType Audit

Resource

To better understand AppLocker :

Contributing

This project welcomes contributions and suggestions.

administrator

Leave a Reply

Your email address will not be published. Required fields are marked *

fb logo
recover dogecoin from a scam
recover ethereum from a scammer
hire a hacker to hack iphone
hire a hacker to hack snapchat
hire a hacker to hack a windows computer
error: Content is protected !!