Get-AppLockerEventlog – Script For Fetching Applocker Event Log By Parsing The Win-Event Log

January 24, 2023

62d0e102020d41282179f4c2acaf3d99ca8426a1dfb3e95a34bb6e756fcd87dc


This script will parse all the channels of events from the win-event log to extract all the log relatives to AppLocker. The script will gather all the important pieces of information relative to the events for forensic or threat-hunting purposes, or even in order to troubleshoot. Here are the logs we fetch from win-event:

  • EXE and DLL,
  • MSI and Script,
  • Packaged app-Deployment,
  • Packaged app-Execution.

The output:

  • The result will be displayed on the screen
    00e139c1c4f61553ceadf01c5f8ce903c9f8e3833258c4750ad6565da706c5db

  • And, The result will be saved to a csv file: AppLocker-log.csv

7bf146936d2c479e864bd9d33c0a9c122d26ea54a02c78646365c70348776d6d

The juicy and useful information you will get with this script are:

  • FileType,
  • EventID,
  • Message,
  • User,
  • Computer,
  • EventTime,
  • FilePath,
  • Publisher,
  • FileHash,
  • Package
  • RuleName,
  • LogName,
  • TargetUser.

PARAMETERS

HunType

This parameter specifies the type of events you are interested in, there are 04 values for this parameter:

1. All

This gets all the events of AppLocker that are interesting for threat-hunting, forensic or even troubleshooting. This is the default value.

.\Get-AppLockerEventlog.ps1 -HunType All

fcdcb18c6edb12326e5213b96c7233e3dd0a2380be4f655295eb7988a7679cd2

2. Block

This gets all the events that are triggered by the action of blocking an application by AppLocker, this type is critical for threat-hunting or forensics, and comes with high priority, since it indicates malicious attempts, or could be a good indicator of prior malicious activity in order to evade defensive mechanisms.

.\Get-AppLockerEventlog.ps1 -HunType Block |Format-Table -AutoSize

ab61f5b2682dbd6e620c086bbb67e84fe64aae9ed63e3ff621a5799d86465950

3. Allow

This gets all the events that are triggered by the action of Allowing an application by AppLocker. For threat-hunting or forensics, even the allowed applications should be monitored, in order to detect any possible bypass or configuration mistakes.

.\Get-AppLockerEventlog.ps1 -HunType Allow | Format-Table -AutoSize

48a990f542a784fbad8ff8fc935732338512f224806e6c581b6da64f4400e643

4. Audit

This gets all the events generated when AppLocker would block the application if the enforcement mode were enabled (Audit mode). For threat-hunting or forensics, this could indicate any configuration mistake, neglect from the admin to switch the mode, or even a malicious action that happened in the audit phase (tuning phase).

 .\Get-AppLockerEventlog.ps1 -HunType Audit

Resource

To better understand AppLocker :

Contributing

This project welcomes contributions and suggestions.



Original Source

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

join
Click Above for Telegram
discord
Click Above for Discord
reddit
Click Above for Reddit
hd linkedin
Click Above For LinkedIn

You may have missed

CISA Logo

CISA: Oracle Releases Quarterly Critical Patch Update Advisory for October 2024

November 17, 2024
CISA Logo

CISA: CISA Adds One Known Exploited Vulnerability to Catalog

November 17, 2024
CISA Logo

CISA: CISA Releases One Industrial Control Systems Advisory

November 17, 2024
CISA Logo

CISA: CISA Adds One Known Exploited Vulnerability to Catalog

November 17, 2024
CISA Logo

CISA: CISA Adds One Known Exploited Vulnerability to Catalog

November 17, 2024