-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathApplockerWinEvent-get.ps1
224 lines (190 loc) · 5.7 KB
/
ApplockerWinEvent-get.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
<#PSScriptInfo
.Version
1.0
.Guid
9be00d5e-0fd8-4b87-be0a-28e97bdd67b7
.Author
Thomas J. Malkewitz @dotps1
.Tags
AppLocker, WinEvent
.ProjectUri
https://github.com/dotps1/PSFunctions
#>
<#
.Synopsis
Gets AppLocker related events.
.Description
Gets AppLocker events based on given critera from the local or remote machine(s).
.Inputs
System.String
.Outputs
System.Diagnostics.Eventing.Reader.EventLogRecord
.Parameter Name
System.String
The name of the system to get AppLocker data against.
.Parameter EventType
System.String
The type of AppLocker events to get, the default value is all events from the Microsoft-Windows-AppLocker log provider.
.Parameter LogName
System.String
The specific log to pull events from, the default value is all logs from the Microsoft-Windows-AppLocker log provider.
.Parameter Credential
System.Management.Automation.PSCredential
Credential object used for authentication.
.Parameter MaxEvents
System.Int
The maximum number of EventLogRecord objects to return.
.Parameter Oldest
System.Management.Automation.SwitchParameter
Returns EventLogRecord objects from oldest to newest.
.Parameter StartTime
System.DateTime
The starting range to get EventLogRecord objects from.
.Parameter EndTime
System.DateTime
The ending range to get EventLogRecord objects from.
.Example
PS C:\> Get-AppLockerWinEvent -MaxEvents 2
ProviderName: Microsoft-Windows-AppLocker
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
10/5/2017 8:17:59 AM 8005 Information %OSDRIVE%\USERS\dotps1\DOCUMENTS\GITHUB\PSFUNCTIONS\FUNCTIONS\GET-APPLOCKERWINEVENT.PS1 was allowed to run.
10/5/2017 8:15:10 AM 8002 Information %PROGRAMFILES%\GIT\MINGW64\BIN\GIT.EXE was allowed to run.
.Example
PS C:\> Get-AppLockerWinEvent -MaxEvents 2 -Oldest -LogName ExeAndDll -Credential (Get-Credential) -ComputerName myremotebox
ProviderName: Microsoft-Windows-AppLocker
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
10/5/2017 7:33:43 AM 8002 Information %OSDRIVE%\USERS\dotps1\APPDATA\LOCAL\MICROSOFT\ONEDRIVE\ONEDRIVESTANDALONEUPDATER.EXE was prevented from running.
10/5/2017 7:33:43 AM 8002 Information %PROGRAMFILES%\GIT\CMD\GIT.EXE was allowed to run.
.Notes
When running against a remote machine, and the results are: "No events were found that match the specified selection criteria.", you may just need to authenticate.
Run the command and use the -Credential parameter.
.Link
https://dotps1.github.io
.Link
https://www.powershellgallery.com/packages/Get-AppLockerWinEvent
.Link
https://grposh.github.io
#>
[CmdletBinding()]
[OutputType(
[System.Diagnostics.Eventing.Reader.EventLogRecord]
)]
param(
[Parameter(
ValueFromPipeline = $true
)]
[Alias(
"ComputerName"
)]
[String[]]
$Name = $env:COMPUTERNAME,
[Parameter()]
[ValidateSet(
"All", "Allowed", "Audit", "Blocked"
)]
[String]
$EventType = "All",
[Parameter()]
[ValidateSet(
"ExeAndDll", "MsiAndScript", "PackagedAppExecution", "PackagedAppDeployment"
)]
[String]
$LogName,
[Parameter()]
[PSCredential]
$Credential = [PSCredential]::Empty,
[Parameter()]
[Int]
$MaxEvents,
[Parameter()]
[Switch]
$Oldest,
[Parameter()]
[DateTime]
$StartTime = [DateTime]::MinValue,
[Parameter()]
[DateTime]
$EndTime = [DateTime]::MaxValue
)
begin {
$filterHashTable = @{
ProviderName = "Microsoft-Windows-AppLocker"
StartTime = $StartTime
EndTime = $EndTime
}
switch ($EventType) {
"Allowed" {
$filterHashTable.Add(
"Id", @(
8002, 8005, 8020, 8023
)
)
}
"Audit" {
$filterHashTable.Add(
"Id", @(
8003, 8006, 8021, 8024
)
)
}
"Blocked" {
$filterHashTable.Add(
"Id", @(
8004, 8007, 8022, 8025
)
)
}
}
switch ($LogName) {
"ExeAndDll" {
$filterHashTable.Add(
"LogName", "Microsoft-Windows-AppLocker/EXE and DLL"
)
}
"MsiAndScript" {
$filterHashTable.Add(
"LogName", "Microsoft-Windows-AppLocker/MSI and Script"
)
}
"PackagedAppExecution" {
$filterHashTable.Add(
"LogName", "Microsoft-Windows-AppLocker/Packaged app-Execution"
)
}
"PackagedAppDeployment" {
$filterHashTable.Add(
"LogName", "Microsoft-Windows-AppLocker/Packaged app-Deployment"
)
}
}
}
process {
foreach ($nameValue in $Name) {
$getWinEventParameters = @{
ComputerName = $nameValue
Credential = $Credential
FilterHashTable = $filterHashTable
ErrorAction = "Stop"
}
if ($MaxEvents -gt 0) {
$getWinEventParameters.Add(
"MaxEvents", $MaxEvents
)
}
if ($Oldest.IsPresent) {
$getWinEventParameters.Add(
"Oldest", $Oldest
)
}
try {
$output = Get-WinEvent @getWinEventParameters
Write-Output -InputObject $output
} catch {
$PSCmdlet.ThrowTerminatingError(
$_
)
}
}
}