Audit mode tells us about everything that is running on your system. It creates a log entry every time you run a program. That log will tell you if it would have allowed the app to run or if it would have blocked it and why. A log like that can give you a lot of information.
Once you start building rules, it gets even better. Then you can filter on the things that would have been blocked. If you see something that is legit, then you can create a rule for it.
Things like malware just jump out at you in those logs. A quick script like this will show you where its hiding.
get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" |
Where-Object{$_.id -eq 8003} |
ft message
No comments:
Post a Comment