mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 05:29:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,242 @@
|
||||
---
|
||||
name: implementing-application-whitelisting-with-applocker
|
||||
description: >
|
||||
Implements application whitelisting using Windows AppLocker to restrict unauthorized software
|
||||
execution on endpoints, reducing attack surface from malware, unauthorized tools, and shadow IT.
|
||||
Use when enforcing application control policies, meeting compliance requirements for software
|
||||
restriction, or preventing execution of unsigned or untrusted binaries. Activates for requests
|
||||
involving AppLocker, application whitelisting, software restriction, or executable control.
|
||||
domain: cybersecurity
|
||||
subdomain: endpoint-security
|
||||
tags: [endpoint, AppLocker, application-whitelisting, windows-security, software-restriction]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: MIT
|
||||
---
|
||||
# Implementing Application Whitelisting with AppLocker
|
||||
|
||||
## When to Use
|
||||
|
||||
Use this skill when:
|
||||
- Implementing application control to prevent unauthorized software execution on Windows endpoints
|
||||
- Meeting compliance requirements (PCI DSS 6.4.3, NIST 800-53 CM-7, ACSC Essential Eight)
|
||||
- Blocking common attack vectors: living-off-the-land binaries (LOLBins), script-based attacks, unauthorized admin tools
|
||||
- Restricting software installation in kiosk, POS, or high-security environments
|
||||
|
||||
**Do not use** this skill for macOS/Linux application control (use OS-native tools like Gatekeeper or AppArmor) or for enterprise-grade WDAC (Windows Defender Application Control) deployments.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Windows 10/11 Enterprise or Education, or Windows Server 2016+
|
||||
- Application Identity service (AppIDSvc) enabled on target endpoints
|
||||
- Active Directory with Group Policy Management Console (GPMC)
|
||||
- Complete application inventory of approved software
|
||||
- Test OU with representative endpoints for policy validation
|
||||
|
||||
## Workflow
|
||||
|
||||
### Step 1: Inventory Approved Applications
|
||||
|
||||
Before creating AppLocker rules, catalog all legitimate software:
|
||||
|
||||
```powershell
|
||||
# Generate application inventory on reference endpoint
|
||||
Get-AppLockerFileInformation -Directory "C:\Program Files" -Recurse `
|
||||
-FileType Exe | Export-Csv "C:\AppLocker\app_inventory_progfiles.csv" -NoTypeInformation
|
||||
|
||||
Get-AppLockerFileInformation -Directory "C:\Program Files (x86)" -Recurse `
|
||||
-FileType Exe | Export-Csv "C:\AppLocker\app_inventory_progfiles86.csv" -NoTypeInformation
|
||||
|
||||
# Include Windows system executables
|
||||
Get-AppLockerFileInformation -Directory "C:\Windows" -Recurse `
|
||||
-FileType Exe | Export-Csv "C:\AppLocker\app_inventory_windows.csv" -NoTypeInformation
|
||||
```
|
||||
|
||||
### Step 2: Create AppLocker Policy with Default Rules
|
||||
|
||||
```powershell
|
||||
# In Group Policy Editor (gpedit.msc) or GPMC:
|
||||
# Navigate to: Computer Configuration → Policies → Windows Settings
|
||||
# → Security Settings → Application Control Policies → AppLocker
|
||||
|
||||
# Enable default rules for each rule collection:
|
||||
# - Executable Rules: Allow Everyone to run files in Program Files and Windows
|
||||
# - Windows Installer Rules: Allow Everyone to run digitally signed MSIs
|
||||
# - Script Rules: Allow Everyone to run scripts in Program Files and Windows
|
||||
# - Packaged App Rules: Allow Everyone to run signed packaged apps
|
||||
|
||||
# PowerShell: Generate default rules
|
||||
$defaultRules = Get-AppLockerPolicy -Local -Xml
|
||||
Set-AppLockerPolicy -XmlPolicy $defaultRules -Merge
|
||||
```
|
||||
|
||||
### Step 3: Create Publisher-Based Rules (Preferred)
|
||||
|
||||
Publisher rules are the most maintainable since they survive application updates:
|
||||
|
||||
```xml
|
||||
<!-- Example AppLocker policy XML for publisher rules -->
|
||||
<RuleCollection Type="Exe" EnforcementMode="AuditOnly">
|
||||
<!-- Default: Allow Windows binaries -->
|
||||
<FilePublisherRule Id="a9e18c21-ff54-4677-b3ac-4b9a03261f6c"
|
||||
Name="Allow Microsoft signed" Description="Allow all Microsoft-signed executables"
|
||||
UserOrGroupSid="S-1-1-0" Action="Allow">
|
||||
<Conditions>
|
||||
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION*"
|
||||
ProductName="*" BinaryName="*">
|
||||
<BinaryVersionRange LowSection="*" HighSection="*"/>
|
||||
</FilePublisherCondition>
|
||||
</Conditions>
|
||||
</FilePublisherRule>
|
||||
|
||||
<!-- Allow specific third-party vendor -->
|
||||
<FilePublisherRule Id="b2e28c32-aa65-5788-c4bd-5c0b14372e7d"
|
||||
Name="Allow Adobe Acrobat" Description="Allow Adobe-signed Acrobat executables"
|
||||
UserOrGroupSid="S-1-1-0" Action="Allow">
|
||||
<Conditions>
|
||||
<FilePublisherCondition PublisherName="O=ADOBE INC.*"
|
||||
ProductName="ADOBE ACROBAT*" BinaryName="*">
|
||||
<BinaryVersionRange LowSection="*" HighSection="*"/>
|
||||
</FilePublisherCondition>
|
||||
</Conditions>
|
||||
</FilePublisherRule>
|
||||
</RuleCollection>
|
||||
```
|
||||
|
||||
### Step 4: Block Known-Abused Binaries (LOLBins)
|
||||
|
||||
```powershell
|
||||
# Deny rules for commonly abused living-off-the-land binaries
|
||||
# These are legitimate Windows tools frequently used by attackers
|
||||
|
||||
$denyPaths = @(
|
||||
"%SYSTEM32%\mshta.exe",
|
||||
"%SYSTEM32%\wscript.exe",
|
||||
"%SYSTEM32%\cscript.exe",
|
||||
"%SYSTEM32%\regsvr32.exe",
|
||||
"%SYSTEM32%\certutil.exe",
|
||||
"%SYSTEM32%\msbuild.exe",
|
||||
"%SYSTEM32%\installutil.exe",
|
||||
"%WINDIR%\Microsoft.NET\Framework\*\msbuild.exe",
|
||||
"%WINDIR%\Microsoft.NET\Framework64\*\msbuild.exe"
|
||||
)
|
||||
|
||||
# Create deny rules in AppLocker policy for standard users
|
||||
# Important: Deny rules take precedence over Allow rules
|
||||
# Apply only to standard users (not admins who may need these tools)
|
||||
```
|
||||
|
||||
### Step 5: Configure Script Rules
|
||||
|
||||
```
|
||||
Script Rules (critical for preventing script-based attacks):
|
||||
|
||||
Allow:
|
||||
- Scripts in C:\Program Files\* (publisher or path-based)
|
||||
- Scripts in C:\Windows\* (default Windows scripts)
|
||||
- Approved admin scripts from \\fileserver\scripts\*
|
||||
|
||||
Deny (for standard users):
|
||||
- PowerShell scripts from user-writable directories
|
||||
- VBScript from %TEMP%, %APPDATA%, %USERPROFILE%\Downloads
|
||||
- JavaScript (.js) from any user-writable location
|
||||
|
||||
DLL Rules (optional, high performance impact):
|
||||
- Enable only in high-security environments
|
||||
- Allow signed DLLs from Program Files and Windows directories
|
||||
- Performance impact: 5-10% CPU increase during DLL loading
|
||||
```
|
||||
|
||||
### Step 6: Deploy in Audit Mode First
|
||||
|
||||
```powershell
|
||||
# CRITICAL: Always deploy AppLocker in Audit mode before Enforce mode
|
||||
# Audit mode logs what would be blocked without actually blocking
|
||||
|
||||
# Set enforcement mode to Audit Only in GPO:
|
||||
# AppLocker → Executable Rules → Properties → Configured: Audit only
|
||||
# AppLocker → Script Rules → Properties → Configured: Audit only
|
||||
# AppLocker → Windows Installer Rules → Properties → Configured: Audit only
|
||||
|
||||
# Ensure Application Identity service is running
|
||||
Set-Service -Name AppIDSvc -StartupType Automatic
|
||||
Start-Service AppIDSvc
|
||||
|
||||
# Link GPO to test OU
|
||||
New-GPLink -Name "AppLocker-Audit-Policy" `
|
||||
-Target "OU=AppLocker-Pilot,DC=corp,DC=example,DC=com"
|
||||
|
||||
# Monitor audit logs for 2-4 weeks
|
||||
# Event Log: Applications and Services Logs → Microsoft → Windows → AppLocker
|
||||
# Event IDs:
|
||||
# 8003 = EXE/DLL would be blocked
|
||||
# 8006 = Script/MSI would be blocked
|
||||
# 8023 = Packaged app would be blocked
|
||||
```
|
||||
|
||||
### Step 7: Analyze Audit Logs and Refine Rules
|
||||
|
||||
```powershell
|
||||
# Export AppLocker audit events
|
||||
Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" `
|
||||
-FilterXPath "*[System[EventID=8003]]" |
|
||||
Select-Object TimeCreated,
|
||||
@{N='User';E={$_.Properties[0].Value}},
|
||||
@{N='FilePath';E={$_.Properties[1].Value}},
|
||||
@{N='FileHash';E={$_.Properties[4].Value}} |
|
||||
Export-Csv "C:\AppLocker\audit_blocked_exes.csv" -NoTypeInformation
|
||||
|
||||
# Review blocked applications
|
||||
# For each blocked legitimate application:
|
||||
# 1. Create a publisher rule (if signed) or path rule (if unsigned)
|
||||
# 2. Add to AppLocker policy
|
||||
# 3. Re-audit for 1 additional week
|
||||
```
|
||||
|
||||
### Step 8: Switch to Enforce Mode
|
||||
|
||||
```powershell
|
||||
# After audit period with no legitimate applications blocked:
|
||||
# Change enforcement mode from Audit to Enforce
|
||||
|
||||
# Update GPO:
|
||||
# AppLocker → Executable Rules → Properties → Configured: Enforce rules
|
||||
# AppLocker → Script Rules → Properties → Configured: Enforce rules
|
||||
|
||||
# Phased enforcement:
|
||||
# Week 1: Enforce EXE rules only
|
||||
# Week 2: Enforce Script rules
|
||||
# Week 3: Enforce MSI rules
|
||||
# Week 4: (Optional) Enforce DLL rules
|
||||
|
||||
# Maintain monitoring: Event IDs 8004 (blocked EXE), 8007 (blocked script)
|
||||
```
|
||||
|
||||
## Key Concepts
|
||||
|
||||
| Term | Definition |
|
||||
|------|-----------|
|
||||
| **Application Whitelisting** | Security model that allows only pre-approved applications to execute, denying everything else by default |
|
||||
| **Publisher Rule** | AppLocker rule based on digital signature; most resilient to application updates |
|
||||
| **Path Rule** | AppLocker rule based on file system path; less secure as attackers can place files in allowed paths |
|
||||
| **Hash Rule** | AppLocker rule based on file hash; most restrictive but breaks on every application update |
|
||||
| **LOLBin** | Living Off the Land Binary; legitimate OS tool abused by attackers to avoid detection |
|
||||
| **Audit Mode** | AppLocker logs policy violations without blocking; essential for rule refinement |
|
||||
| **Enforcement Mode** | AppLocker actively blocks applications that violate policy rules |
|
||||
|
||||
## Tools & Systems
|
||||
|
||||
- **AppLocker (built-in)**: Windows application control feature in Enterprise/Education editions
|
||||
- **WDAC (Windows Defender Application Control)**: More advanced successor to AppLocker for modern Windows
|
||||
- **Microsoft LAPS**: Manages local admin passwords to prevent bypassing AppLocker via admin rights
|
||||
- **WDAC Wizard**: GUI tool for creating Windows Defender Application Control policies
|
||||
- **AaronLocker**: Open-source AppLocker rule generator by Microsoft employee (GitHub)
|
||||
|
||||
## Common Pitfalls
|
||||
|
||||
- **Skipping Audit mode**: Deploying AppLocker in Enforce mode without audit period will block critical applications and cause outages.
|
||||
- **Relying solely on path rules**: Users with write access to allowed paths (C:\Windows\Temp) can bypass path-based rules. Prefer publisher rules.
|
||||
- **Not blocking user-writable directories**: The most common gap is allowing execution from %TEMP%, Downloads, or %APPDATA%.
|
||||
- **Forgetting Application Identity service**: AppLocker requires the AppIDSvc service running. If it stops, all rules stop enforcing.
|
||||
- **Admin bypass**: Local administrators can bypass AppLocker by default. For full enforcement, combine with WDAC which enforces for all users including admins.
|
||||
- **DLL rule performance**: Enabling DLL rules creates significant performance overhead. Only enable in high-security environments where the tradeoff is justified.
|
||||
@@ -0,0 +1,80 @@
|
||||
# AppLocker Application Whitelisting Template
|
||||
|
||||
## Policy Information
|
||||
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Policy Name | |
|
||||
| Target OS | Windows 10/11 Enterprise |
|
||||
| Profile | Workstation / Server / Kiosk |
|
||||
| Enforcement Mode | Audit Only / Enforce |
|
||||
| GPO Name | |
|
||||
| Target OU | |
|
||||
| Last Updated | |
|
||||
|
||||
## Approved Application Inventory
|
||||
|
||||
| Application | Publisher | Version | Rule Type | Justification |
|
||||
|------------|----------|---------|-----------|---------------|
|
||||
| Microsoft Office | Microsoft Corporation | 365 | Publisher | Business productivity |
|
||||
| Google Chrome | Google LLC | * | Publisher | Approved browser |
|
||||
| Adobe Acrobat | Adobe Inc. | * | Publisher | PDF processing |
|
||||
| | | | | |
|
||||
|
||||
## Rule Collection Configuration
|
||||
|
||||
### Executable Rules (EXE, COM)
|
||||
|
||||
| Rule Name | Type | Action | Scope | Conditions |
|
||||
|-----------|------|--------|-------|------------|
|
||||
| Default - Windows | Path | Allow | Everyone | %WINDIR%\* |
|
||||
| Default - Program Files | Path | Allow | Everyone | %PROGRAMFILES%\* |
|
||||
| Deny - LOLBins | Path | Deny | Standard Users | mshta.exe, wscript.exe, etc. |
|
||||
| | | | | |
|
||||
|
||||
### Script Rules (PS1, BAT, CMD, VBS, JS)
|
||||
|
||||
| Rule Name | Type | Action | Scope | Conditions |
|
||||
|-----------|------|--------|-------|------------|
|
||||
| Default - Windows scripts | Path | Allow | Everyone | %WINDIR%\* |
|
||||
| Default - Program Files scripts | Path | Allow | Everyone | %PROGRAMFILES%\* |
|
||||
| Deny - User profile scripts | Path | Deny | Standard Users | %USERPROFILE%\* |
|
||||
| | | | | |
|
||||
|
||||
### Windows Installer Rules (MSI, MSP, MST)
|
||||
|
||||
| Rule Name | Type | Action | Scope | Conditions |
|
||||
|-----------|------|--------|-------|------------|
|
||||
| Default - Signed MSI | Publisher | Allow | Everyone | All signed installers |
|
||||
| | | | | |
|
||||
|
||||
## LOLBin Deny List
|
||||
|
||||
| Binary | Path | ATT&CK Technique | Risk |
|
||||
|--------|------|------------------|------|
|
||||
| mshta.exe | %SYSTEM32% | T1218.005 | HTA execution for code delivery |
|
||||
| wscript.exe | %SYSTEM32% | T1059.005 | VBScript execution |
|
||||
| cscript.exe | %SYSTEM32% | T1059.005 | Command-line scripting |
|
||||
| regsvr32.exe | %SYSTEM32% | T1218.010 | COM scriptlet execution |
|
||||
| certutil.exe | %SYSTEM32% | T1140 | File download and decode |
|
||||
| msbuild.exe | .NET Framework | T1127.001 | Inline task execution |
|
||||
|
||||
## Audit Results Tracking
|
||||
|
||||
| Audit Period | Blocked Events | Legitimate Blocks | Rules Added | Remaining Issues |
|
||||
|-------------|---------------|-------------------|-------------|-----------------|
|
||||
| | | | | |
|
||||
|
||||
## Exception Register
|
||||
|
||||
| Application | Reason for Exception | Compensating Control | Approved By | Review Date |
|
||||
|------------|---------------------|---------------------|-------------|-------------|
|
||||
| | | | | |
|
||||
|
||||
## Sign-Off
|
||||
|
||||
| Role | Name | Date |
|
||||
|------|------|------|
|
||||
| Security Engineer | | |
|
||||
| IT Operations Lead | | |
|
||||
| Change Manager | | |
|
||||
@@ -0,0 +1,43 @@
|
||||
# Standards & References - Implementing Application Whitelisting with AppLocker
|
||||
|
||||
## Primary Standards
|
||||
|
||||
### NIST SP 800-167 - Guide to Application Whitelisting
|
||||
- **Publisher**: NIST
|
||||
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-167/final
|
||||
- **Scope**: Comprehensive guidance on planning, implementing, and maintaining application whitelisting
|
||||
- **Key sections**: Technology overview, planning process, policy creation, maintenance operations
|
||||
|
||||
### ACSC Essential Eight - Application Control
|
||||
- **Publisher**: Australian Cyber Security Centre
|
||||
- **URL**: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
|
||||
- **Scope**: Application control is Mitigation Strategy #1 in the Essential Eight
|
||||
- **Maturity levels**: L1 (block executables in user profiles), L2 (block from all user-writable paths), L3 (Microsoft recommended block rules + WDAC)
|
||||
|
||||
### CIS Control 2 - Software Inventory and Control
|
||||
- **Publisher**: Center for Internet Security
|
||||
- **Relevance**: CIS Controls v8 Control 2 requires software allowlisting for authorized applications
|
||||
|
||||
## Compliance Mappings
|
||||
|
||||
| Framework | Requirement | AppLocker Coverage |
|
||||
|-----------|------------|-------------------|
|
||||
| PCI DSS 4.0 | 6.4.3 - Restrict active content | AppLocker script rules block unauthorized scripts |
|
||||
| NIST 800-53 | CM-7 - Least Functionality | AppLocker enforces minimum required software |
|
||||
| NIST 800-53 | CM-11 - User-Installed Software | AppLocker prevents unauthorized software installation |
|
||||
| NIST 800-171 | 3.4.8 - Application whitelisting | Direct requirement for application control |
|
||||
| ISO 27001 | A.12.5.1 - Installation of software on operational systems | AppLocker restricts installation capability |
|
||||
| HIPAA | 164.312(a)(1) - Access Control | Restricts executable access to authorized applications |
|
||||
|
||||
## Microsoft Documentation
|
||||
|
||||
- **AppLocker Overview**: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview
|
||||
- **AppLocker Policies Design Guide**: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide
|
||||
- **WDAC and AppLocker Feature Availability**: Comparison of capabilities between AppLocker and WDAC
|
||||
- **Microsoft Recommended Block Rules**: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol
|
||||
|
||||
## Supporting References
|
||||
|
||||
- **LOLBAS Project**: https://lolbas-project.github.io/ - Living Off The Land Binaries reference for deny rule creation
|
||||
- **AaronLocker (GitHub)**: Open-source toolkit for generating robust AppLocker policies
|
||||
- **UltimateAppLockerByPassList**: Security research on AppLocker bypass techniques for defense awareness
|
||||
@@ -0,0 +1,137 @@
|
||||
# Workflows - Implementing Application Whitelisting with AppLocker
|
||||
|
||||
## Workflow 1: Initial AppLocker Deployment
|
||||
|
||||
```
|
||||
[Application Inventory]
|
||||
│
|
||||
├── Scan reference endpoints for installed applications
|
||||
├── Catalog all approved software by publisher/path/hash
|
||||
├── Identify admin tools vs. standard user applications
|
||||
│
|
||||
▼
|
||||
[Policy Design]
|
||||
│
|
||||
├── Create default allow rules (Program Files, Windows)
|
||||
├── Create publisher rules for third-party vendors
|
||||
├── Create deny rules for LOLBins (standard users only)
|
||||
├── Create script control rules
|
||||
│
|
||||
▼
|
||||
[Audit Mode Deployment]
|
||||
│
|
||||
├── Deploy via GPO to pilot OU (Audit Only)
|
||||
├── Enable Application Identity service
|
||||
├── Monitor for 2-4 weeks
|
||||
│
|
||||
▼
|
||||
[Audit Log Analysis]
|
||||
│
|
||||
├── Export blocked events (8003, 8006)
|
||||
├── Identify legitimate applications being blocked
|
||||
│
|
||||
├── Blocked app is legitimate ──► [Create allow rule]
|
||||
│ │
|
||||
│ ▼
|
||||
│ [Re-audit 1 week]
|
||||
│
|
||||
└── All blocked apps are unauthorized ──► [Proceed to enforcement]
|
||||
│
|
||||
▼
|
||||
[Switch to Enforce mode (phased)]
|
||||
│
|
||||
├── Week 1: EXE rules
|
||||
├── Week 2: Script rules
|
||||
├── Week 3: MSI rules
|
||||
└── Week 4: DLL rules (optional)
|
||||
```
|
||||
|
||||
## Workflow 2: New Application Approval
|
||||
|
||||
```
|
||||
[User requests new application]
|
||||
│
|
||||
▼
|
||||
[Security review of application]
|
||||
│
|
||||
├── Is it signed by trusted publisher? ──► [Create publisher rule]
|
||||
│
|
||||
├── Unsigned but necessary? ──► [Create hash rule + document exception]
|
||||
│
|
||||
└── Fails security review ──► [Deny request, document reason]
|
||||
│
|
||||
▼
|
||||
[Add rule to AppLocker GPO]
|
||||
│
|
||||
▼
|
||||
[Deploy to pilot OU, verify no conflicts]
|
||||
│
|
||||
▼
|
||||
[Deploy to production OU]
|
||||
│
|
||||
▼
|
||||
[Update application inventory]
|
||||
```
|
||||
|
||||
## Workflow 3: AppLocker Bypass Incident Response
|
||||
|
||||
```
|
||||
[Detection: Unauthorized execution despite AppLocker]
|
||||
│
|
||||
▼
|
||||
[Identify bypass technique]
|
||||
│
|
||||
├── LOLBin not blocked ──► [Add deny rule for specific binary]
|
||||
│
|
||||
├── Execution from allowed path ──► [Restrict path rule scope]
|
||||
│
|
||||
├── Admin user bypass ──► [Evaluate WDAC migration for admin enforcement]
|
||||
│
|
||||
└── DLL side-loading ──► [Enable DLL rules or deploy WDAC]
|
||||
│
|
||||
▼
|
||||
[Update AppLocker policy with fix]
|
||||
│
|
||||
▼
|
||||
[Verify fix in audit mode on test endpoint]
|
||||
│
|
||||
▼
|
||||
[Deploy fix to production]
|
||||
│
|
||||
▼
|
||||
[Update threat model and rule documentation]
|
||||
```
|
||||
|
||||
## Workflow 4: AppLocker to WDAC Migration
|
||||
|
||||
```
|
||||
[Decision: Migrate from AppLocker to WDAC]
|
||||
│
|
||||
▼
|
||||
[Audit current AppLocker policy]
|
||||
│
|
||||
├── Export AppLocker rules as XML
|
||||
├── Identify rules that need WDAC equivalents
|
||||
│
|
||||
▼
|
||||
[Create WDAC policy using WDAC Wizard]
|
||||
│
|
||||
├── Convert publisher rules to WDAC signer rules
|
||||
├── Convert path rules to WDAC filepath rules
|
||||
├── Add Microsoft recommended block rules
|
||||
│
|
||||
▼
|
||||
[Deploy WDAC in Audit mode alongside AppLocker]
|
||||
│
|
||||
▼
|
||||
[Monitor WDAC audit events for 4 weeks]
|
||||
│
|
||||
▼
|
||||
[Resolve WDAC audit findings]
|
||||
│
|
||||
▼
|
||||
[Switch WDAC to Enforce mode]
|
||||
│
|
||||
▼
|
||||
[Disable AppLocker policy]
|
||||
```
|
||||
@@ -0,0 +1,242 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
AppLocker Audit Log Analyzer
|
||||
|
||||
Parses Windows AppLocker audit event logs to identify blocked applications,
|
||||
generate rule recommendations, and track policy effectiveness.
|
||||
"""
|
||||
|
||||
import json
|
||||
import csv
|
||||
import sys
|
||||
import os
|
||||
import xml.etree.ElementTree as ET
|
||||
from collections import defaultdict, Counter
|
||||
from datetime import datetime
|
||||
|
||||
|
||||
def parse_applocker_evtx_export(csv_path: str) -> list:
|
||||
"""
|
||||
Parse AppLocker events exported from Event Viewer as CSV.
|
||||
Export: Event Viewer → AppLocker/EXE and DLL → Save All Events As → CSV
|
||||
"""
|
||||
events = []
|
||||
|
||||
with open(csv_path, "r", encoding="utf-8-sig") as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
event = {
|
||||
"timestamp": row.get("Date and Time", ""),
|
||||
"event_id": row.get("Event ID", ""),
|
||||
"level": row.get("Level", ""),
|
||||
"source": row.get("Source", ""),
|
||||
"message": row.get("Message", ""),
|
||||
"user": "",
|
||||
"file_path": "",
|
||||
"file_hash": "",
|
||||
"publisher": "",
|
||||
"rule_name": "",
|
||||
}
|
||||
|
||||
msg = event["message"]
|
||||
if msg:
|
||||
if "was allowed to run" in msg:
|
||||
event["action"] = "allowed"
|
||||
elif "was prevented from running" in msg:
|
||||
event["action"] = "blocked"
|
||||
elif "would have been prevented" in msg:
|
||||
event["action"] = "audit_block"
|
||||
else:
|
||||
event["action"] = "unknown"
|
||||
|
||||
lines = msg.split("\n")
|
||||
for line in lines:
|
||||
line = line.strip()
|
||||
if line.startswith("File path:") or line.startswith("Filer path:"):
|
||||
event["file_path"] = line.split(":", 1)[1].strip()
|
||||
elif line.startswith("User:"):
|
||||
event["user"] = line.split(":", 1)[1].strip()
|
||||
elif line.startswith("Publisher name:"):
|
||||
event["publisher"] = line.split(":", 1)[1].strip()
|
||||
elif line.startswith("File hash:"):
|
||||
event["file_hash"] = line.split(":", 1)[1].strip()
|
||||
elif line.startswith("Rule name:"):
|
||||
event["rule_name"] = line.split(":", 1)[1].strip()
|
||||
|
||||
events.append(event)
|
||||
|
||||
return events
|
||||
|
||||
|
||||
def analyze_blocked_applications(events: list) -> dict:
|
||||
"""Analyze which applications are being blocked and why."""
|
||||
analysis = {
|
||||
"total_events": len(events),
|
||||
"blocked_events": 0,
|
||||
"allowed_events": 0,
|
||||
"audit_block_events": 0,
|
||||
"unique_blocked_files": set(),
|
||||
"blocked_by_path": defaultdict(int),
|
||||
"blocked_by_user": defaultdict(int),
|
||||
"blocked_by_publisher": defaultdict(int),
|
||||
"top_blocked_files": Counter(),
|
||||
"user_writable_blocks": [],
|
||||
"potential_legitimate": [],
|
||||
}
|
||||
|
||||
user_writable_indicators = [
|
||||
"\\users\\", "\\appdata\\", "\\temp\\", "\\downloads\\",
|
||||
"\\desktop\\", "\\documents\\", "%temp%", "%appdata%",
|
||||
]
|
||||
|
||||
signed_publishers = set()
|
||||
|
||||
for event in events:
|
||||
action = event.get("action", "")
|
||||
if action in ("blocked", "audit_block"):
|
||||
analysis["blocked_events"] += 1
|
||||
file_path = event.get("file_path", "").lower()
|
||||
user = event.get("user", "Unknown")
|
||||
publisher = event.get("publisher", "Unknown")
|
||||
|
||||
analysis["unique_blocked_files"].add(file_path)
|
||||
analysis["blocked_by_path"][file_path] += 1
|
||||
analysis["blocked_by_user"][user] += 1
|
||||
analysis["top_blocked_files"][file_path] += 1
|
||||
|
||||
if publisher and publisher != "Unknown":
|
||||
analysis["blocked_by_publisher"][publisher] += 1
|
||||
signed_publishers.add(publisher)
|
||||
|
||||
is_user_writable = any(ind in file_path for ind in user_writable_indicators)
|
||||
if is_user_writable:
|
||||
analysis["user_writable_blocks"].append({
|
||||
"file": file_path,
|
||||
"user": user,
|
||||
"timestamp": event.get("timestamp", ""),
|
||||
})
|
||||
|
||||
if publisher and publisher != "Unknown" and not is_user_writable:
|
||||
analysis["potential_legitimate"].append({
|
||||
"file": file_path,
|
||||
"publisher": publisher,
|
||||
"user": user,
|
||||
"recommendation": "Consider creating publisher rule",
|
||||
})
|
||||
|
||||
elif action == "allowed":
|
||||
analysis["allowed_events"] += 1
|
||||
|
||||
if action == "audit_block":
|
||||
analysis["audit_block_events"] += 1
|
||||
|
||||
analysis["unique_blocked_files"] = len(analysis["unique_blocked_files"])
|
||||
analysis["signed_publishers_blocked"] = list(signed_publishers)
|
||||
|
||||
return analysis
|
||||
|
||||
|
||||
def generate_rule_recommendations(analysis: dict) -> list:
|
||||
"""Generate AppLocker rule recommendations based on audit analysis."""
|
||||
recommendations = []
|
||||
|
||||
for item in analysis.get("potential_legitimate", []):
|
||||
recommendations.append({
|
||||
"type": "publisher_rule",
|
||||
"action": "allow",
|
||||
"publisher": item["publisher"],
|
||||
"file": item["file"],
|
||||
"reason": f"Signed application blocked for user {item['user']}",
|
||||
"priority": "high",
|
||||
})
|
||||
|
||||
top_blocked = analysis.get("top_blocked_files", Counter())
|
||||
for file_path, count in top_blocked.most_common(20):
|
||||
if count >= 10:
|
||||
is_in_recommendations = any(
|
||||
r["file"] == file_path for r in recommendations
|
||||
)
|
||||
if not is_in_recommendations:
|
||||
recommendations.append({
|
||||
"type": "investigate",
|
||||
"action": "review",
|
||||
"file": file_path,
|
||||
"count": count,
|
||||
"reason": f"Blocked {count} times - determine if legitimate",
|
||||
"priority": "medium",
|
||||
})
|
||||
|
||||
return recommendations
|
||||
|
||||
|
||||
def export_analysis_report(analysis: dict, recommendations: list, output_path: str) -> None:
|
||||
"""Export analysis and recommendations to JSON report."""
|
||||
report = {
|
||||
"report_generated": datetime.utcnow().isoformat() + "Z",
|
||||
"summary": {
|
||||
"total_events": analysis["total_events"],
|
||||
"blocked": analysis["blocked_events"],
|
||||
"audit_blocked": analysis["audit_block_events"],
|
||||
"allowed": analysis["allowed_events"],
|
||||
"unique_blocked_files": analysis["unique_blocked_files"],
|
||||
},
|
||||
"top_blocked_files": dict(analysis["top_blocked_files"].most_common(30)),
|
||||
"blocked_by_user": dict(analysis["blocked_by_user"]),
|
||||
"signed_publishers_blocked": analysis.get("signed_publishers_blocked", []),
|
||||
"user_writable_path_blocks": len(analysis.get("user_writable_blocks", [])),
|
||||
"rule_recommendations": recommendations,
|
||||
}
|
||||
|
||||
with open(output_path, "w", encoding="utf-8") as f:
|
||||
json.dump(report, f, indent=2)
|
||||
|
||||
|
||||
def export_blocked_apps_csv(analysis: dict, output_path: str) -> None:
|
||||
"""Export blocked applications to CSV for review."""
|
||||
with open(output_path, "w", newline="", encoding="utf-8") as f:
|
||||
writer = csv.writer(f)
|
||||
writer.writerow(["File Path", "Block Count", "Action Needed", "Rule Type"])
|
||||
for file_path, count in analysis["top_blocked_files"].most_common(100):
|
||||
writer.writerow([file_path, count, "Review", "TBD"])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
if len(sys.argv) < 2:
|
||||
print("Usage: python process.py <applocker_events.csv>")
|
||||
print()
|
||||
print("Analyzes AppLocker audit events exported from Windows Event Viewer.")
|
||||
print("Export events from: Event Viewer → AppLocker/EXE and DLL → Save All Events As CSV")
|
||||
sys.exit(1)
|
||||
|
||||
csv_path = sys.argv[1]
|
||||
if not os.path.exists(csv_path):
|
||||
print(f"Error: File not found: {csv_path}")
|
||||
sys.exit(1)
|
||||
|
||||
print("Parsing AppLocker audit events...")
|
||||
events = parse_applocker_evtx_export(csv_path)
|
||||
print(f"Parsed {len(events)} events")
|
||||
|
||||
print("Analyzing blocked applications...")
|
||||
analysis = analyze_blocked_applications(events)
|
||||
|
||||
print("Generating rule recommendations...")
|
||||
recommendations = generate_rule_recommendations(analysis)
|
||||
|
||||
base_name = os.path.splitext(os.path.basename(csv_path))[0]
|
||||
output_dir = os.path.dirname(csv_path) or "."
|
||||
|
||||
report_path = os.path.join(output_dir, f"{base_name}_analysis.json")
|
||||
export_analysis_report(analysis, recommendations, report_path)
|
||||
print(f"Analysis report: {report_path}")
|
||||
|
||||
blocked_csv = os.path.join(output_dir, f"{base_name}_blocked_apps.csv")
|
||||
export_blocked_apps_csv(analysis, blocked_csv)
|
||||
print(f"Blocked apps CSV: {blocked_csv}")
|
||||
|
||||
print(f"\n--- AppLocker Audit Summary ---")
|
||||
print(f"Total events: {analysis['total_events']}")
|
||||
print(f"Blocked: {analysis['blocked_events']}")
|
||||
print(f"Audit-blocked: {analysis['audit_block_events']}")
|
||||
print(f"Unique blocked files: {analysis['unique_blocked_files']}")
|
||||
print(f"Rule recommendations: {len(recommendations)}")
|
||||
Reference in New Issue
Block a user