Created
December 5, 2024 11:40
-
-
Save tmap/d67b248aa51bebe16794a552846f74a1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Import-Module AppLocker | |
| [xml]$data = Get-AppLockerPolicy -Effective -Xml | |
| # Initialize an array to store rule details | |
| $rules = @() | |
| # Extract and process rules | |
| ($data.AppLockerPolicy.RuleCollection | Where-Object { $_.EnforcementMode -eq "Enabled" }) | ForEach-Object { | |
| # File Path Rules | |
| $_.FilePathRule | Where-Object { $_.Name -NotLike "(Default Rule)*" } | ForEach-Object { | |
| $rule = New-Object PSObject | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Rule Name' -Value $_.Name | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Rule Type' -Value 'File Path Rule' | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Description' -Value $_.Description | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Condition' -Value $_.Conditions.FilePathCondition.Path | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Group/SID' -Value $_.UserOrGroupSid | |
| $rules += $rule | |
| } | |
| # File Hash Rules | |
| $_.FileHashRule | ForEach-Object { | |
| $rule = New-Object PSObject | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Rule Name' -Value $_.Name | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Rule Type' -Value 'File Hash Rule' | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Description' -Value $_.Description | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Condition' -Value "File: $($_.Conditions.FileHashCondition.FileHash.SourceFileName), Hash: $($_.Conditions.FileHashCondition.FileHash.Data)" | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Group/SID' -Value $_.UserOrGroupSid | |
| $rules += $rule | |
| } | |
| # File Publisher Rules | |
| $_.FilePublisherRule | Where-Object { $_.Name -NotLike "(Default Rule)*" } | ForEach-Object { | |
| $rule = New-Object PSObject | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Rule Name' -Value $_.Name | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Rule Type' -Value 'File Publisher Rule' | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Description' -Value $_.Description | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Condition' -Value "Publisher: $($_.Conditions.FilePublisherCondition.PublisherName), Product: $($_.Conditions.FilePublisherCondition.ProductName), Binary: $($_.Conditions.FilePublisherCondition.BinaryName), Version Range: $($_.Conditions.FilePublisherCondition.BinaryVersionRange.LowSection) - $($_.Conditions.FilePublisherCondition.BinaryVersionRange.HighSection)" | |
| $rule | Add-Member -MemberType NoteProperty -Name 'Group/SID' -Value $_.UserOrGroupSid | |
| $rules += $rule | |
| } | |
| } | |
| # Output rules to Out-GridView | |
| $rules | Out-GridView -Title "AppLocker Rules with All Properties" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment