Thursday, May 21, 2020

Applocker Rules for Tanium

I had a client wanting to create AppLocker whitelisting rules in Tanium.  I created this little script that can be run on the endpoints (use Tanium or SCCM to easily get it to run there) and then the results can be used to create rules in Tanium.

This script will output two files; ApplockerPolicy.xml which could be imported directly into Tanium though I recommend against it and PublisherInfo.csv which can be used to manually create the rules.

The methodology is to run the script on most/all of the endpoints, merge all of the PublisherInfo.csv files together (concatenate) into one long file.  Open that long file in Excel and remove duplicates.  Then you have your list of publishers, applications, and files to use in Tanium.

Here's the script:

$ExePath = "C:"
$OutPath = $env:USERPROFILE + "\Documents\ApplockerTesting"
$PolicyFile = "$OutPath\ApplockerPolicy.xml"
$PublisherInfoFile = "$OutPath\PublisherInfo.csv"

CLS
Get-AppLockerFileInformation -Directory $ExePath -Recurse -FileType Dll,EXE | New-AppLockerPolicy -RuleType Publisher,Path -User Everyone -RuleNamePrefix AppLocker -xml | Out-File -FilePath $PolicyFile -Force #create the policy file

[XML]$AppDetails = Get-Content $PolicyFile
$OutString = "Publisher Name,Product Name,Binary Name"
$OutString | Out-File -filepath $PublisherInfoFile -Force
foreach($AppDetail in $AppDetails.AppLockerPolicy.RuleCollection.FilePublisherRule.Conditions){
    $OutString = ('"' + ($AppDetail.FilePublisherCondition).PublisherName) + '","' + (($AppDetail.FilePublisherCondition).ProductName) + '","' + (($AppDetail.FilePublisherCondition).BinaryName) + '"'
    $OutString | Out-File -filepath $PublisherInfoFile -Append
}
If you really do want to import the ApplockerPolicy.xml created from that script then you might want to use this script to make the names into something more manageable.  The names given by the Get-AppLockerFileInformation command are really cumbersome.

Here's a script to reset the names:

$DocsPath = $env:USERPROFILE + "\Documents\ApplockerTesting"
$PolicyFile = "$DocsPath\PolicyFile.xml"

[XML]$AppDetails = Get-Content $PolicyFile


foreach($AppDetail in $AppDetails.AppLockerPolicy.RuleCollection.FilePublisherRule){
$PublishName,$Garbage = (($AppDetail.Conditions.FilePublisherCondition.PublisherName).Replace("O=","")).split(",",2)
$ProdName = $AppDetail.Conditions.FilePublisherCondition.ProductName
$BinaryName = $AppDetail.Conditions.FilePublisherCondition.BinaryName


$RuleName = $PublishName + " :-: " + $ProdName + " :-: " + $BinaryName
$AppDetail.Name = $RuleName
Write-Output $RuleName
$AppDetails.Save($PolicyFile)
}

Enjoy!

No comments:

Post a Comment