In Introduction:
In the previous blog we looked at AppLocker in audit mode. In this blog we will look at how you can use the information in the event logs to create rules.
Event ID to Rules:
Before we can create rules from the event information, we need to understand what information we have and what we can do with this information in different scenarios.
AppLocker events can be located under Event Viewer – Applications and Services Logs – Microsoft – Windows – AppLocker.
Looking at the details of the event, we can get the Publisher, File Hash and File Path information to allow us to create rules based on the information we have.
Now that we have the information, we can start creating rules.
1. Create a rule that uses a path condition
In this scenario we look at a program that is not digitally signed by a publisher and therefore we cannot use a publisher rule. An ideal scenario for path rules is logon scripts.
Looking at the Event Log we identify a logon script that would be blocked if AppLocker was enforced. Using the information available we identify that we need to create a Script rule using the File Path “\\DC1.domain\NETLOGON\*” to allow all logon scripts.
The video below will demonstrate how to create a Script rule with a path condition in the AppLocker GPO:
Once the rule is created and implemented the logon script will be allowed to run and will be indicated in the Event Log
2. Create a rule that uses a publisher condition
In this scenario we look at a program that is digitally signed by a publisher and therefore we can use a publisher rule.
Looking at the Event Log we identify an .EXE that would be blocked if AppLocker was enforced. Using the information available we identify that we need to create an EXE rule using the Publisher “O=ADOBE INC., L=SAN JOSE, S=CA, C=US” to allow all Adobe published executables.
The video below will demonstrate how to create an EXE rule with a publisher condition in the AppLocker GPO by using Notepad.exe as a reference to populate the publisher data retrieved from the event log:
Once the rule is created an implemented the Adobe signed executable will be allowed to run and will be indicated in the Event Log
3. Create a rule that uses a hash condition
In this scenario we look at a program that is digitally signed by a publisher and therefore we can use a hash rule.
For files that are not digitally signed, file hash rules are more secure than path rules. Because each file has a unique hash, a file hash condition applies to only one file.
NB! Each time that the file is updated (such as a security update or upgrade), the file’s hash will change. As a result, you must manually update file hash rules.
Looking at the Event Log we identify an .MSI that would be blocked if AppLocker was enforced. Using the information available we identify that we need to create an MSI rule using the Hash “A7803233EEDB6A4B59B3024CCF9292A6FFFB94507DC998AA67C5B745D197A5DC ” to allow this MSI file.
The video below will demonstrate how to create a MSI rule with a hash condition in the AppLocker GPO by using a PowerShell script:
The script can be downloaded from the following link: https://github.com/AlzheimerZA/AppLocker-Hash-Rule-Creator
Once the rule is created and implemented the MSI file with the hash will be allowed to run and will be indicated in the Event Log.
Conclusion
Utilizing the available Event IDs generated during the AppLocker audit period you can easily create the appropriate rules with the information gathered. This also allows you to create rules without the need to physically have access to the application file or path.
You must log in to post a comment.