Freigeben über


AppLockerLet continued…

In my previous post I mentioned that AppLockerLet reads from the Event Viewer using Get-AppLockerFileInformation to determine which .exe, .dll, .msi or script has been blocked by policy. For any blocked application log entry that it finds in the Event Log it’ll display it in the UI which allows you to select a particular blocked app and create a local AppLocker rule and merge this newly created rule with the current rule set.

What AppLockerLet is doing programmatically is the following:

1. Imports the AppLocker PowerShell Module (Import-Module AppLocker)

2. Queries the AppLocker Event Logs to determine app that where blocked.

3. For each blocked app determines the file location using FilePath and signing certificate information gleaned from the event log

4. From the FilePath it’ll query the binary itself to grab the file hash, again using Get-AppLockerFileInformation

 Get-AppLockerFileInformation -path "C:\ test.msi"

5. For the selected application – It’ll create an AppLocker rule, leveraging New-AppLockerPolicy, setting the rule type to create a hash rule, then path (if the hash information cannot be pulled for some reason).

 New-AppLockerPolicy -user Everyone -ruletype hash, path

6. Finally, it’ll set the AppLocker policy, using Set-AppLockerPolicy, for the specified local rule, and specify it to merge as to not overwrite any other local AppLocker rules.

 Set-AppLockerPolicy –merge

Some notes on the tool – Since the UI is written in managed code it requires .Net Framework 3.5 sp1. Also to create the local AppLocker rules, you’ll need to have administrator privileges. Also AppLockerLet will need to have a corresponding AppLocker allow rule created, so that it will not be blocked via policy.

AppLockerLet is not officially supported. AppLockerLet is solely meant as a demonstrational application to show an example of how one can wrap the AppLocker cmdlet functionality into something that can help automate a part of the AppLocker maintenance workflow.

Special thanks goes out To Brian Wishan for helping with the development of AppLockerLet.

Finally, you can download AppLockerLet from the link below.

 

AppLockerLet.zip