I'm trying to figure out how to use PowerShell to read EVTX (event log) files to apply specific app control policies. My aim is to create a publisher rule if it exists, or fallback to using the file path if the publisher rule isn't found. I've been looking into the ConfigCI cmdlets, but they seem to require a designated file path and don't allow for publisher details or similar parameters. Is this possible with PowerShell?
A bit of background: I'm working on a project that requires application control for a business. We've discovered over 50 applications scattered across different computers that need to be allowed, but the managed installer doesn't permit anything before its deployment. We currently lack a SIEM, and advanced threat hunting isn't compatible with code integrity events unless we upgrade to Plan 2.
I've tried using the App Control Manager, but it defaults to hash, which isn't ideal for app updates. To streamline the process, I thought automation could help instead of manually approving each EXE and DLL in the app control wizard. Any advice or resources would be greatly appreciated!
2 Answers
You can actually create an AppLocker policy using any domain controller. It doesn't have to be your domain; just access the GPO GUI to set up file hash policies. Once you've created the policy, you can easily export it as an XML file, which might be useful for your app control needs.
Have you tried looking at the AaronLocker project on GitHub? It might have what you need for managing application policies and could simplify your PowerShell scripts.
Thanks for the tip! Do you know if those AppLocker XML files work for application control for business or WDAC? I hadn’t considered that approach before.