通过解析 win-event 日志来获取 Applocker 事件日志
通过解析 win-event 日志来获取 Applocker 事件日志
Khan安全团队
发布于 2023-02-23 14:47:31
发布于 2023-02-23 14:47:31
此脚本将从 win 事件日志中解析所有事件通道,以将所有日志相关信息提取到 AppLocker。该脚本将收集与事件相关的所有重要信息,用于取证或威胁搜寻目的,甚至用于故障排除。以下是我们从 win-event 中获取的日志:
- EXE 和动态链接库
- MSI 和脚本
- 打包的应用程序部署
- 打包的应用程序执行
结果将保存到 csv 文件:AppLocker-log.csv
通过此脚本您将获得的有用信息是:
- FileType,
- EventID,
- Message,
- User,
- Computer,
- EventTime,
- FilePath,
- Publisher,
- FileHash,
- Package
- RuleName,
- LogName,
- TargetUser.
这会获取 AppLocker 的所有事件,这些事件对威胁搜寻、取证甚至故障排除很重要。这是默认值。
.\Get-AppLockerEventlog.ps1 -HunType All
这将获取由 AppLocker 阻止应用程序的操作触发的所有事件,这种类型对于威胁搜寻或取证至关重要,并且具有高优先级,因为它表示恶意尝试,或者可能是先前恶意的良好指示活动以逃避防御机制。
.\Get-AppLockerEventlog.ps1 -HunType Block |Format-Table -AutoSize
这将获取由 AppLocker 允许应用程序操作触发的所有事件。对于威胁搜寻或取证,甚至应监控允许的应用程序,以检测任何可能的旁路或配置错误。
.\Get-AppLockerEventlog.ps1 -HunType Allow | Format-Table -AutoSize
如果启用了强制模式(审核模式),这将获取 AppLocker 阻止应用程序时生成的所有事件。对于威胁搜寻或取证,这可能表明任何配置错误、管理员疏忽切换模式,甚至是在审计阶段(调整阶段)发生的恶意操作。
.\Get-AppLockerEventlog.ps1 -HunType Audithttps://github.com/RomaissaAdjailia/Get-AppLockerEventlog
# Let's define Parameters
Param(
[ValidateSet(“All”,”Block”,”Allow”,"Audit")]
[String]
$HunType="ALL"
)
switch ($HunType)
{
All
{
$output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*"} | ForEach-Object {
# First, the UserID give the SID, to have the username, we need to translate this value:
# The userid is a propriety of Get-WinEvent
if($_.userid -eq $null) { $user= "N/A";}
else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}
# Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them
# So, Let's convert each event to XML and extract the Event node from the XML File
$eventXml = ([xml]$_.ToXml()).Event
# Then, we collect the data we are intrested in and we put them in an order hashtable
# The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
$evt = [ordered]@{
FileType = $eventXml.UserData.RuleAndFileData.PolicyName
EventID = $eventXml.System.EventID
Message = $_.message
User = $user
Computer = $eventXml.System.Computer
EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime
#RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl
FilePath = $eventXml.UserData.RuleAndFileData.FilePath
Publisher = $eventXml.UserData.RuleAndFileData.Fqbn
FileHash = $eventXml.UserData.RuleAndFileData.FileHash
Package = $eventXml.UserData.RuleAndFileData.Package
RuleName = $eventXml.UserData.RuleAndFileData.RuleName
LogName = $eventXml.System.Channel
TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser
}
# we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.
[PsCustomObject]$evt
}
$Header= " ======= This is the list of ALL events of Applocker.======="
}
Block
{
$output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*";id=8004,8007,8022,8024} | ForEach-Object {
# First, the UserID give the SID, to have the username, we need to translate this value:
# The userid is a propriety of Get-WinEvent
if($_.userid -eq $null) { $user= "N/A";}
else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}
# Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them
# So, Let's convert each event to XML and extract the Event node from the XML File
$eventXml = ([xml]$_.ToXml()).Event
# Then, we collect the data we are intrested in and we put them in an order hashtable
# The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
$evt = [ordered]@{
FileType = $eventXml.UserData.RuleAndFileData.PolicyName
EventID = $eventXml.System.EventID
Message = $_.message
User = $user
Computer = $eventXml.System.Computer
EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime
#RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl
FilePath = $eventXml.UserData.RuleAndFileData.FilePath
Publisher = $eventXml.UserData.RuleAndFileData.Fqbn
FileHash = $eventXml.UserData.RuleAndFileData.FileHash
Package = $eventXml.UserData.RuleAndFileData.Package
RuleName = $eventXml.UserData.RuleAndFileData.RuleName
LogName = $eventXml.System.Channel
TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser
}
# we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.
[PsCustomObject]$evt
}
$header = " ======= This is the list of BLOCKED events of Applocker.======="
}
Allow
{
$output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*"; Id=8002,8005,8020,8023} | ForEach-Object {
# First, the UserID give the SID, to have the username, we need to translate this value:
# The userid is a propriety of Get-WinEvent
if($_.userid -eq $null) { $user= "N/A";}
else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}
# Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them
# So, Let's convert each event to XML and extract the Event node from the XML File
$eventXml = ([xml]$_.ToXml()).Event
# Then, we collect the data we are intrested in and we put them in an order hashtable
# The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
$evt = [ordered]@{
FileType = $eventXml.UserData.RuleAndFileData.PolicyName
EventID = $eventXml.System.EventID
Message = $_.message
User = $user
Computer = $eventXml.System.Computer
EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime
#RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl
FilePath = $eventXml.UserData.RuleAndFileData.FilePath
Publisher = $eventXml.UserData.RuleAndFileData.Fqbn
FileHash = $eventXml.UserData.RuleAndFileData.FileHash
Package = $eventXml.UserData.RuleAndFileData.Package
RuleName = $eventXml.UserData.RuleAndFileData.RuleName
LogName = $eventXml.System.Channel
TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser
}
# we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.
[PsCustomObject]$evt
}
$header = " ======= This is the list of ALLOWED events of Applocker.======="
}
Audit
{
$output = Get-WinEvent -FilterHashtable @{LogName="microsoft-windows-applocker/*"; Id= 8003,8006,,8021,8024} | ForEach-Object {
# First, the UserID give the SID, to have the username, we need to translate this value:
# The userid is a propriety of Get-WinEvent
if($_.userid -eq $null) { $user= "N/A";}
else {$user = (New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value;}
# Most Information we needs are not present in Proprities of Get-WinEvent, so we need the xml format to extract them
# So, Let's convert each event to XML and extract the Event node from the XML File
$eventXml = ([xml]$_.ToXml()).Event
# Then, we collect the data we are intrested in and we put them in an order hashtable
# The xml file have 02 prinicipales nodes <System> and <UserData>, all intresting information of <userdata> are within the child <RuleAndFileData>
$evt = [ordered]@{
FileType = $eventXml.UserData.RuleAndFileData.PolicyName
EventID = $eventXml.System.EventID
Message = $_.message
User = $user
Computer = $eventXml.System.Computer
EventTime = [DateTime]$eventXml.System.TimeCreated.SystemTime
#RuleSddl = $eventXml.UserData.RuleAndFileData.RuleSddl
FilePath = $eventXml.UserData.RuleAndFileData.FilePath
Publisher = $eventXml.UserData.RuleAndFileData.Fqbn
FileHash = $eventXml.UserData.RuleAndFileData.FileHash
Package = $eventXml.UserData.RuleAndFileData.Package
RuleName = $eventXml.UserData.RuleAndFileData.RuleName
LogName = $eventXml.System.Channel
TargetUser = $eventXml.UserData.RuleAndFileData.TargetUser
}
# we need to creat those events as a custom PowerShell object to make the information more usable and displays the data more clearly.
[PsCustomObject]$evt
}
$header = " ======= This is the list of Audited events of Applocker.======="
}
}
# Display the output to the screen
Write-Host "`n $header" -ForegroundColor Magenta
$output
# Export the output to a CSV file
$output | Export-Csv AppLocker-log.csv -NoTypeInformation
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2023-02-06,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号