This script will output two files; ApplockerPolicy.xml which could be imported directly into Tanium though I recommend against it and PublisherInfo.csv which can be used to manually create the rules.
The methodology is to run the script on most/all of the endpoints, merge all of the PublisherInfo.csv files together (concatenate) into one long file. Open that long file in Excel and remove duplicates. Then you have your list of publishers, applications, and files to use in Tanium.
Here's the script:
$ExePath = "C:"If you really do want to import the ApplockerPolicy.xml created from that script then you might want to use this script to make the names into something more manageable. The names given by the Get-AppLockerFileInformation command are really cumbersome.
$OutPath = $env:USERPROFILE + "\Documents\ApplockerTesting"
$PolicyFile = "$OutPath\ApplockerPolicy.xml"
$PublisherInfoFile = "$OutPath\PublisherInfo.csv"
CLS
Get-AppLockerFileInformation -Directory $ExePath -Recurse -FileType Dll,EXE | New-AppLockerPolicy -RuleType Publisher,Path -User Everyone -RuleNamePrefix AppLocker -xml | Out-File -FilePath $PolicyFile -Force #create the policy file
[XML]$AppDetails = Get-Content $PolicyFile
$OutString = "Publisher Name,Product Name,Binary Name"
$OutString | Out-File -filepath $PublisherInfoFile -Force
foreach($AppDetail in $AppDetails.AppLockerPolicy.RuleCollection.FilePublisherRule.Conditions){
$OutString = ('"' + ($AppDetail.FilePublisherCondition).PublisherName) + '","' + (($AppDetail.FilePublisherCondition).ProductName) + '","' + (($AppDetail.FilePublisherCondition).BinaryName) + '"'
$OutString | Out-File -filepath $PublisherInfoFile -Append
}
Here's a script to reset the names:
$DocsPath = $env:USERPROFILE + "\Documents\ApplockerTesting"
$PolicyFile = "$DocsPath\PolicyFile.xml"
[XML]$AppDetails = Get-Content $PolicyFile
foreach($AppDetail in $AppDetails.AppLockerPolicy.RuleCollection.FilePublisherRule){
$PublishName,$Garbage = (($AppDetail.Conditions.FilePublisherCondition.PublisherName).Replace("O=","")).split(",",2)
$ProdName = $AppDetail.Conditions.FilePublisherCondition.ProductName
$BinaryName = $AppDetail.Conditions.FilePublisherCondition.BinaryName
$RuleName = $PublishName + " :-: " + $ProdName + " :-: " + $BinaryName
$AppDetail.Name = $RuleName
Write-Output $RuleName
$AppDetails.Save($PolicyFile)
}
Enjoy!