Creating AppLocker rules from the Windows event log

• Author
• Recent Posts

Sami Laiho

Sami Laiho has been a Microsoft Most Valuable Professional (MVP) since 2011 and one of the world's leading IT experts for Windows and security. He has been teaching OS troubleshooting, management, and security since 1996. In 2019 TiVi-magazine chose Sami as one of the top 100 influencers in IT in Finland. For more info, go to https://samilaiho.com.

Latest posts by Sami Laiho (see all)

• Hardening AppLocker - Thu, Jun 25 2020
• AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
• Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020

On the Event Collector server, you can run the below command to see what you have in the log:

Get-AppLockerFileInformation -EventLog -LogPath ForwardedEvents |Out-GridView

Getting statistics of apps that would have been blocked

It might make sense to start by adding the -statistics parameter to see what has been blocked the most so you know what to focus on.

Getting statistics of apps that would have been blocked the most times

If you already have log files archived, you need to point to the file instead of the log name.

Get-AppLockerFileInformation -EventLog -LogPath "C:\Users\AppAdmin\Documents\AppLocker4sysops.evtx" | Out-GridView

I like using the GridView for quick operations, but in the beginning it might be easier to dump the content to Excel and first work in there before deciding what to whitelist. You can do that by replacing Out-GridView with Export-CSV.

Dumping the audited events to Excel

There are numerous ways to approach choosing the things to whitelist. Some want to dump everything to a local GPO, edit there, export to an XML file, and import to an AD GPO. Some want to choose one by one. I'm not going to go through every option. Instead, I'll point you to the ones I use the most. I prefer the latter option.

To dump everything to a local GPO, use the following:

Get-AppLockerFileInformation -EventLog -LogPath ForwardedEvents | New-AppLockerPolicy -RuleType Publisher -User Everyone -IgnoreMissingFileInformation -Optimize | Set-AppLockerPolicy

After this, you can open GPEDIT.msc and find the new rules to edit and export in your application control policies.

What I normally do is take a specific app and make a publisher rule for it, merging it straight to a GPO in Active Directory, like this:

Get-AppLockerFileInformation -EventLog -LogPath ForwardedEvents | where-object -Property Publisher -like "O=INTEL*" | New-AppLockerPolicy -RuleType Publisher | Set-AppLockerPolicy -LDAP "LDAP://DC01.elaiho.int/CN={CD0E20D6-3069-49C1-80A4-37A133974362},CN=Policies,CN=System,DC=elaiho,DC=int" -Merge

You need to get the LDAP path to the object and the GUID for the GPO. Normally, after this, I will edit the rule to point to the publishing company instead of the specific app. Please read my first blog post to find the reasoning for this.

Changing a rule to be less specific

After creating your rules, it's time to audit for a few more weeks and make sure you will find fewer entries in the logs.

As I stated in the previous blog post, my normal run for an AppLocker project is:

1. Install event log forwarding and the required GPOs.
2. Create basic rules for auditing.
3. Log for 3–4 weeks.
4. Create the first custom rule set based on the logged
5. Log for 3–4 weeks.
6. Tweak the rules based on the logged events.
7. Teach ServiceDesk to deal with AppLocker and inform users.
8. Configure about 25% of the clients to use enforced mode and create a PANIC policy.
9. Run for 3–4 weeks.
10. Configure the rest (75%) of the clients to use enforced mode.
11. Harden AppLocker.
12. Include DLLs in the project. First audit all and then enforce, like with other executables.

So now we should be at step 6. You'll basically redo everything you did in this post.

Now it's a good time to prepare a note for users about the introduction of whitelisting and how to contact You/ServiceDesk if they get into trouble. Also take some time to teach ServiceDesk how to create rules or how to escalate to the correct contact.

In the next blog post, we will move from Audit mode to Enforced mode.