Get-AppLockerEventlog script will parse all the channels of events from the win-event log to extract all the log relatives to AppLocker. The script will gather all the important pieces of information relative to the events for forensic or threat-hunting purposes, or even in order to troubleshoot. Here are the logs we fetch from win-event:
- EXE and DLL,
- MSI and Script,
- Packaged app-Deployment,
- Packaged app-Execution.
The output:
- The result will be displayed on the screen
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKh0H15QuNql1fHwqTY9K6OxkKGwHv6r7ZxYQFsnFWdmD0Jgse-37NcWhqP5btbAklNBwS4H35H6hj5zQESLSWSbOa_DHdhj0viXqyx6fXGUKU57FM99DM9hEdbco_QaLUJxpfc1zcmE0CvceMgChTN694GhbGzqsM8O8vYWFJ5afUlyKmO4bE6Log/s16000/All-1.png)
- And, The result will be saved to a csv file: AppLocker-log.csv
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNda4G8D4aRia7LJAyoc0BXM-NSWO4OBgEG2fYvPtYqw0Khd6G0ELDnsN_iauk4KUcnPkaKvprrRGoHxzZa_UXq20RZ6TLQYEZc96FUJ9Ix2037MBYQYJpAu5Ly3ljC3rMIvRsf-DSKzLBWWYGStjApPuZRL7VC5e36CvVb_EQGMwl-Kb0pZSUOa15/s16000/csv.png)
The juicy and useful information you will get with this script are:
- FileType,
- EventID,
- Message,
- User,
- Computer,
- EventTime,
- FilePath,
- Publisher,
- FileHash,
- Package
- RuleName,
- LogName,
- TargetUser.
PARAMETERS
HunType
This parameter specifies the type of events you are interested in, there are 04 values for this parameter:
1. All
This gets all the events of AppLocker that are interesting for threat-hunting, forensic or even troubleshooting. This is the default value.
.\Get-AppLockerEventlog.ps1 -HunType All
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaemdrTGaLAIzkyEiXXP-eix4W2OcN9VbqRo0yS0_pal_9Rkf_Bc4tRdqAOx0fGiyP5k-fDezDgbWsC5qeTFLJhfag2zr_5ra2MtEzklBCU6_6D-ROlPdxsnxWhSV0os_nDJiKSULOZWGNze36xSYXGnF-_5rwE8M-i9XU6x2xqE8ioqS_NdJICSLT/s16000/All-2.png)
2. Block
This gets all the events that are triggered by the action of blocking an application by AppLocker, this type is critical for threat-hunting or forensics, and comes with high priority, since it indicates malicious attempts, or could be a good indicator of prior malicious activity in order to evade defensive mechanisms.
.\Get-AppLockerEventlog.ps1 -HunType Block |Format-Table -AutoSize
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh15AhMMk9dkwHuECOVnKfyRCzILMi1gvunhJ-utLK5jO0qWd7nDh2gODe6QnlKzdJiO2G5AvYlEdnE-6Os6sVNlT6twGBLYKWYNuSJjDw7hLlb4bgD9EKvoE4bVAIb80nYjMGrVHb11DH2ymcfHQ8Owf06pSWzcFTcTx9cC1lTxj2UcQxvBM-93rBp/s16000/Block-1.png)
3. Allow
This gets all the events that are triggered by the action of Allowing an application by AppLocker. For threat-hunting or forensics, even the allowed applications should be monitored, in order to detect any possible bypass or configuration mistakes.
.\Get-AppLockerEventlog.ps1 -HunType Allow | Format-Table -AutoSize
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOc-HOOLWtG_gW24aBA5yjAjYz6O_sJcvdKj6nUebkk1ajl-b3K-aiJAdOcPREfvUqZjIEvGF8_1_OF8D-7u15qNHCxx64r7Cm_seVwUcQuAP2e-nuyO-E5ObqweyP8PvRTv9ye1qtpVXHEOn8zWnfwyuaVFcS3-ZEjnkjWin1wmpNeTHFfGMfYGvo/s16000/Allow-1.png)
4. Audit
This gets all the events generated when AppLocker would block the application if the enforcement mode were enabled (Audit mode). For threat-hunting or forensics, this could indicate any configuration mistake, neglect from the admin to switch the mode, or even a malicious action that happened in the audit phase (tuning phase).
.\Get-AppLockerEventlog.ps1 -HunType Audit
Resource
To better understand AppLocker :