Friday, May 24, 2013

Using AppLocker audit mode to track down Malware

We all know that AppLocker can stop a lot of things we don't want running on the computer.  That includes malware. If you are not ready to pull the trigger, audit mode can still be a great asset.

Audit mode tells us about everything that is running on your system. It creates a log entry every time you run a program. That log will tell you if it would have allowed the app to run or if it would have blocked it and why. A log like that can give you a lot of information.

Once you start building rules, it gets even better. Then you can filter on the things that would have been blocked.  If you see something that is legit, then you can create a rule for it.

Things like malware just jump out at you in those logs. A quick script like this will show you where its hiding.

get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" |
Where-Object{$ -eq 8003}  |
ft message

No comments: