通过解析 win-event 日志来获取 Applocker 事件日志

admin
admin
admin
102175
文章
87
评论
2023年2月6日09:34:33评论66 views字数 7580阅读25分16秒阅读模式

此脚本将从 win 事件日志中解析所有事件通道,以将所有日志相关信息提取到 AppLocker。该脚本将收集与事件相关的所有重要信息,用于取证或威胁搜寻目的,甚至用于故障排除。以下是我们从 win-event 中获取的日志:

通过解析 win-event 日志来获取 Applocker 事件日志

结果将保存到 csv 文件:AppLocker-log.csv

通过解析 win-event 日志来获取 Applocker 事件日志

通过此脚本您将获得的有用信息是:

  • FileType,

  • EventID,

  • Message,

  • User,

  • Computer,

  • EventTime,

  • FilePath,

  • Publisher,

  • FileHash,

  • Package

  • RuleName,

  • LogName,

  • TargetUser.


这会获取 AppLocker 的所有事件,这些事件对威胁搜寻、取证甚至故障排除很重要。这是默认值。

.Get-AppLockerEventlog.ps1 -HunType All

通过解析 win-event 日志来获取 Applocker 事件日志

这将获取由 AppLocker 阻止应用程序的操作触发的所有事件,这种类型对于威胁搜寻或取证至关重要,并且具有高优先级,因为它表示恶意尝试,或者可能是先前恶意的良好指示活动以逃避防御机制。

.Get-AppLockerEventlog.ps1 -HunType Block |Format-Table -AutoSize

通过解析 win-event 日志来获取 Applocker 事件日志

这将获取由 AppLocker 允许应用程序操作触发的所有事件。对于威胁搜寻或取证,甚至应监控允许的应用程序,以检测任何可能的旁路或配置错误。

.Get-AppLockerEventlog.ps1 -HunType Allow | Format-Table -AutoSize

通过解析 win-event 日志来获取 Applocker 事件日志

如果启用了强制模式(审核模式),这将获取 AppLocker 阻止应用程序时生成的所有事件。对于威胁搜寻或取证,这可能表明任何配置错误、管理员疏忽切换模式,甚至是在审计阶段(调整阶段)发生的恶意操作。

 .Get-AppLockerEventlog.ps1 -HunType Audit


https://github.com/RomaissaAdjailia/Get-AppLockerEventlog


# Let's define Parameters
Param(        [ValidateSet(“All”,”Block”,”Allow”,"Audit")]        [String]        $HunType="ALL" )switch ($HunType){
All {        $output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*"}  | ForEach-Object {
    # First, the UserID give the SID, to have the username, we need to translate this value:    # The userid is a propriety of Get-WinEvent    if($_.userid -eq $null) { $user= "N/A";}    else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}        # Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them    # So, Let's convert each event to XML and extract the Event node from the XML File    $eventXml = ([xml]$_.ToXml()).Event
    # Then, we collect the data we are intrested in and we put them in an order hashtable    # The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
    $evt = [ordered]@{                        FileType = $eventXml.UserData.RuleAndFileData.PolicyName        EventID = $eventXml.System.EventID        Message = $_.message        User = $user        Computer  = $eventXml.System.Computer        EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime                        #RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl        FilePath = $eventXml.UserData.RuleAndFileData.FilePath        Publisher = $eventXml.UserData.RuleAndFileData.Fqbn        FileHash = $eventXml.UserData.RuleAndFileData.FileHash        Package = $eventXml.UserData.RuleAndFileData.Package        RuleName = $eventXml.UserData.RuleAndFileData.RuleName        LogName = $eventXml.System.Channel        TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser               }           # we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.    [PsCustomObject]$evt        }
    $Header= " ======= This is the list of ALL events of Applocker.======="
}
Block {        $output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*";id=8004,8007,8022,8024}  | ForEach-Object {
    # First, the UserID give the SID, to have the username, we need to translate this value:    # The userid is a propriety of Get-WinEvent    if($_.userid -eq $null) { $user= "N/A";}    else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}        # Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them    # So, Let's convert each event to XML and extract the Event node from the XML File    $eventXml = ([xml]$_.ToXml()).Event
    # Then, we collect the data we are intrested in and we put them in an order hashtable    # The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
    $evt = [ordered]@{                        FileType = $eventXml.UserData.RuleAndFileData.PolicyName        EventID = $eventXml.System.EventID        Message = $_.message        User = $user        Computer  = $eventXml.System.Computer        EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime                        #RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl        FilePath = $eventXml.UserData.RuleAndFileData.FilePath        Publisher = $eventXml.UserData.RuleAndFileData.Fqbn        FileHash = $eventXml.UserData.RuleAndFileData.FileHash        Package = $eventXml.UserData.RuleAndFileData.Package        RuleName = $eventXml.UserData.RuleAndFileData.RuleName        LogName = $eventXml.System.Channel        TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser               }           # we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.    [PsCustomObject]$evt        }    $header = " ======= This is the list of BLOCKED events of Applocker.======="
}
Allow {        $output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*"; Id=8002,8005,8020,8023}  | ForEach-Object {
    # First, the UserID give the SID, to have the username, we need to translate this value:    # The userid is a propriety of Get-WinEvent    if($_.userid -eq $null) { $user= "N/A";}    else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}        # Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them    # So, Let's convert each event to XML and extract the Event node from the XML File    $eventXml = ([xml]$_.ToXml()).Event
    # Then, we collect the data we are intrested in and we put them in an order hashtable    # The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
    $evt = [ordered]@{                        FileType = $eventXml.UserData.RuleAndFileData.PolicyName        EventID = $eventXml.System.EventID        Message = $_.message        User = $user        Computer  = $eventXml.System.Computer        EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime                        #RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl        FilePath = $eventXml.UserData.RuleAndFileData.FilePath        Publisher = $eventXml.UserData.RuleAndFileData.Fqbn        FileHash = $eventXml.UserData.RuleAndFileData.FileHash        Package = $eventXml.UserData.RuleAndFileData.Package        RuleName = $eventXml.UserData.RuleAndFileData.RuleName        LogName = $eventXml.System.Channel        TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser               }           # we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.    [PsCustomObject]$evt        }    $header = " ======= This is the list of ALLOWED events of Applocker.======="
}
Audit {        $output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*"; Id= 8003,8006,,8021,8024}  | ForEach-Object {
    # First, the UserID give the SID, to have the username, we need to translate this value:    # The userid is a propriety of Get-WinEvent    if($_.userid -eq $null) { $user= "N/A";}    else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}        # Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them    # So, Let's convert each event to XML and extract the Event node from the XML File    $eventXml = ([xml]$_.ToXml()).Event
    # Then, we collect the data we are intrested in and we put them in an order hashtable    # The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
    $evt = [ordered]@{                        FileType = $eventXml.UserData.RuleAndFileData.PolicyName        EventID = $eventXml.System.EventID        Message = $_.message        User = $user        Computer  = $eventXml.System.Computer        EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime                        #RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl        FilePath = $eventXml.UserData.RuleAndFileData.FilePath        Publisher = $eventXml.UserData.RuleAndFileData.Fqbn        FileHash = $eventXml.UserData.RuleAndFileData.FileHash        Package = $eventXml.UserData.RuleAndFileData.Package        RuleName = $eventXml.UserData.RuleAndFileData.RuleName        LogName = $eventXml.System.Channel        TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser               }           # we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.    [PsCustomObject]$evt        }    $header = " ======= This is the list of Audited events of Applocker.======="
}
}
# Display the output to the screenWrite-Host "`n $header" -ForegroundColor Magenta$output
# Export the output to a CSV file$output  | Export-Csv AppLocker-log.csv -NoTypeInformation



原文始发于微信公众号(Khan安全攻防实验室):通过解析 win-event 日志来获取 Applocker 事件日志

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年2月6日09:34:33
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   通过解析 win-event 日志来获取 Applocker 事件日志https://cn-sec.com/archives/1538864.html

发表评论

匿名网友 填写信息