通过解析 win-event 日志来获取 Applocker 事件日志

admin

139654
文章

114
评论

2023年2月6日09:34:33评论71 views字数 7580阅读25分16秒阅读模式

此脚本将从 win 事件日志中解析所有事件通道，以将所有日志相关信息提取到 AppLocker。该脚本将收集与事件相关的所有重要信息，用于取证或威胁搜寻目的，甚至用于故障排除。以下是我们从 win-event 中获取的日志：

EXE 和动态链接库
MSI 和脚本
打包的应用程序部署
打包的应用程序执行

通过解析 win-event 日志来获取 Applocker 事件日志

结果将保存到 csv 文件：AppLocker-log.csv

通过解析 win-event 日志来获取 Applocker 事件日志

通过此脚本您将获得的有用信息是：

FileType,
EventID,
Message,
User,
Computer,
EventTime,
FilePath,
Publisher,
FileHash,
Package
RuleName,
LogName,
TargetUser.

这会获取 AppLocker 的所有事件，这些事件对威胁搜寻、取证甚至故障排除很重要。这是默认值。

.Get-AppLockerEventlog.ps1 -HunType All

通过解析 win-event 日志来获取 Applocker 事件日志

这将获取由 AppLocker 阻止应用程序的操作触发的所有事件，这种类型对于威胁搜寻或取证至关重要，并且具有高优先级，因为它表示恶意尝试，或者可能是先前恶意的良好指示活动以逃避防御机制。

.Get-AppLockerEventlog.ps1 -HunType Block |Format-Table -AutoSize

通过解析 win-event 日志来获取 Applocker 事件日志

这将获取由 AppLocker 允许应用程序操作触发的所有事件。对于威胁搜寻或取证，甚至应监控允许的应用程序，以检测任何可能的旁路或配置错误。

.Get-AppLockerEventlog.ps1 -HunType Allow | Format-Table -AutoSize

通过解析 win-event 日志来获取 Applocker 事件日志

如果启用了强制模式（审核模式），这将获取 AppLocker 阻止应用程序时生成的所有事件。对于威胁搜寻或取证，这可能表明任何配置错误、管理员疏忽切换模式，甚至是在审计阶段（调整阶段）发生的恶意操作。

 .Get-AppLockerEventlog.ps1 -HunType Audit

https://github.com/RomaissaAdjailia/Get-AppLockerEventlog


# Let's define Parameters
Param(        [ValidateSet(“All”,”Block”,”Allow”,"Audit")]        [String]        $HunType="ALL" )switch ($HunType){
All {        $output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*"}  | ForEach-Object {
    # First, the UserID give the SID, to have the username, we need to translate this value:    # The userid is a propriety of Get-WinEvent    if($_.userid -eq $null) { $user= "N/A";}    else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}        # Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them    # So, Let's convert each event to XML and extract the Event node from the XML File    $eventXml = ([xml]$_.ToXml()).Event
    # Then, we collect the data we are intrested in and we put them in an order hashtable    # The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
    $evt = [ordered]@{                        FileType = $eventXml.UserData.RuleAndFileData.PolicyName        EventID = $eventXml.System.EventID        Message = $_.message        User = $user        Computer  = $eventXml.System.Computer        EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime                        #RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl        FilePath = $eventXml.UserData.RuleAndFileData.FilePath        Publisher = $eventXml.UserData.RuleAndFileData.Fqbn        FileHash = $eventXml.UserData.RuleAndFileData.FileHash        Package = $eventXml.UserData.RuleAndFileData.Package        RuleName = $eventXml.UserData.RuleAndFileData.RuleName        LogName = $eventXml.System.Channel        TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser               }           # we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.    [PsCustomObject]$evt        }
    $Header= " ======= This is the list of ALL events of Applocker.======="
}
Block {        $output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*";id=8004,8007,8022,8024}  | ForEach-Object {
    # First, the UserID give the SID, to have the username, we need to translate this value:    # The userid is a propriety of Get-WinEvent    if($_.userid -eq $null) { $user= "N/A";}    else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}        # Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them    # So, Let's convert each event to XML and extract the Event node from the XML File    $eventXml = ([xml]$_.ToXml()).Event
    # Then, we collect the data we are intrested in and we put them in an order hashtable    # The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
    $evt = [ordered]@{                        FileType = $eventXml.UserData.RuleAndFileData.PolicyName        EventID = $eventXml.System.EventID        Message = $_.message        User = $user        Computer  = $eventXml.System.Computer        EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime                        #RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl        FilePath = $eventXml.UserData.RuleAndFileData.FilePath        Publisher = $eventXml.UserData.RuleAndFileData.Fqbn        FileHash = $eventXml.UserData.RuleAndFileData.FileHash        Package = $eventXml.UserData.RuleAndFileData.Package        RuleName = $eventXml.UserData.RuleAndFileData.RuleName        LogName = $eventXml.System.Channel        TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser               }           # we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.    [PsCustomObject]$evt        }    $header = " ======= This is the list of BLOCKED events of Applocker.======="
}
Allow {        $output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*"; Id=8002,8005,8020,8023}  | ForEach-Object {
    # First, the UserID give the SID, to have the username, we need to translate this value:    # The userid is a propriety of Get-WinEvent    if($_.userid -eq $null) { $user= "N/A";}    else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}        # Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them    # So, Let's convert each event to XML and extract the Event node from the XML File    $eventXml = ([xml]$_.ToXml()).Event
    # Then, we collect the data we are intrested in and we put them in an order hashtable    # The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
    $evt = [ordered]@{                        FileType = $eventXml.UserData.RuleAndFileData.PolicyName        EventID = $eventXml.System.EventID        Message = $_.message        User = $user        Computer  = $eventXml.System.Computer        EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime                        #RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl        FilePath = $eventXml.UserData.RuleAndFileData.FilePath        Publisher = $eventXml.UserData.RuleAndFileData.Fqbn        FileHash = $eventXml.UserData.RuleAndFileData.FileHash        Package = $eventXml.UserData.RuleAndFileData.Package        RuleName = $eventXml.UserData.RuleAndFileData.RuleName        LogName = $eventXml.System.Channel        TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser               }           # we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.    [PsCustomObject]$evt        }    $header = " ======= This is the list of ALLOWED events of Applocker.======="
}
Audit {        $output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*"; Id= 8003,8006,,8021,8024}  | ForEach-Object {
    # First, the UserID give the SID, to have the username, we need to translate this value:    # The userid is a propriety of Get-WinEvent    if($_.userid -eq $null) { $user= "N/A";}    else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}        # Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them    # So, Let's convert each event to XML and extract the Event node from the XML File    $eventXml = ([xml]$_.ToXml()).Event
    # Then, we collect the data we are intrested in and we put them in an order hashtable    # The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
    $evt = [ordered]@{                        FileType = $eventXml.UserData.RuleAndFileData.PolicyName        EventID = $eventXml.System.EventID        Message = $_.message        User = $user        Computer  = $eventXml.System.Computer        EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime                        #RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl        FilePath = $eventXml.UserData.RuleAndFileData.FilePath        Publisher = $eventXml.UserData.RuleAndFileData.Fqbn        FileHash = $eventXml.UserData.RuleAndFileData.FileHash        Package = $eventXml.UserData.RuleAndFileData.Package        RuleName = $eventXml.UserData.RuleAndFileData.RuleName        LogName = $eventXml.System.Channel        TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser               }           # we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.    [PsCustomObject]$evt        }    $header = " ======= This is the list of Audited events of Applocker.======="
}
}
# Display the output to the screenWrite-Host "`n $header" -ForegroundColor Magenta$output
# Export the output to a CSV file$output  | Export-Csv AppLocker-log.csv -NoTypeInformation

原文始发于微信公众号（Khan安全攻防实验室）：通过解析 win-event 日志来获取 Applocker 事件日志

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

通过解析 win-event 日志来获取 Applocker 事件日志

红队内网实战 - zimbra 邮件服务渗透技巧

2025-4月Solar应急响应公益月赛排名及官方题解

云环境渗透测试流程

从用户名枚举到后台权限绕过

安服日记 | 通过微信小程序寻找突破口打穿目标内网

安全渗透 | 攻防第一天，直接把内网打穿！

工业控制系统五层架构以及PLC、SCADA、DCS系统

我如何从已删除的文件中赚取 64 美元 — 一个漏洞赏金故事

【WX】MCP 服务，让 AI 直接读取你的微信聊天记录

frida绕过OKhttp3证书单向绑定（附脚本）

发表评论

在线咨询

微信