top of page
Search

Audit Applocker Rules and Export to Excel

Introduction

Reporting on AppLocker rules is crucial to maintaining security. It provides insight into allowed and blocked applications, aiding in policy refinement. The main challenge lies in the absence of a management graphical user interface (GUI) for rule administration and processing. Indeed, GPResult offers a visual display of individual policies, but it falls short in presenting a comprehensive overview of the combined and applied policies.


A Quick Recap of Applocker

A quick recap. AppLocker is a security feature available in Windows that provides user context application control. It uses policies based on file attributes like publisher, hash, and path to allow or deny software execution. By preventing unauthorized or potentially harmful programs from running, AppLocker helps safeguard systems against malware and unauthorized software installations, enhancing overall security.


As Applocker only protects the user context it provides little safeguard against RCE. Applocker is also subject to numerous Living off the Land bypasses and should only ever be considered part of a layered approach to Windows security. Windows Defender Application Control is a far more robust kernel level application control mechanism.

The Script

The script for exporting Applocker rules can be found @


Why Export to HTML!!!

If you hadn't realised the script initially creates an HTML report, but the original intention was to export Applocker Rules to .csv, then into Excel. Exporting to CSV proved limiting due to the lack of support for individual worksheets or pages. The report must also work on Clients, Servers and not be reliant on Excel or imported Excel PowerShell modules. Finally, I've an extensive configuration, security and vulnerability assessment report written in PowerShell, likewise creating an HTML report that also can be imported into Excel.


The vulnerability assessment script can be found @ https://github.com/Tenaka/SecureReport


The Report

Download the script and execute it using PowerShell_ISE or native PowerShell. While I haven't conducted extensive testing with PowerShell, it should function in both environments.


The report outputs to $env:USERPROFILE, the root of the user's profile path, named the date, hostname-report.htm "C:\Users\Fred\23-08-28-LP674504-Report.htm".


The report will contain the effective policy applied to the endpoint.

While appealing, the current format may not be the most practical to work with. However, you can import it as a web source into Excel, where each heading corresponds to an Excel worksheet.


Here are a couple of examples followed by a quick how-to for importing into Excel.


Excel Import

Once the script concludes, the AppLocker Audit report will automatically open in the default web browser. Copy the URL path to the clipboard for use in the importing process.

Open Excel and go to the Data tab, then select 'From Web'.

Paste the file path into the URL box.

In the navigation Window, select the Applocker Rule sets and then 'Load' and 'Load To...' on the drop down.

Select 'Table' on the Import Data window.

Importing the HTML file into Excel requires a brief moment, although it won't provide sufficient time to justify indulging in a coffee break.

Upon completing the import process, an Excel spreadsheet is prepared and readily available for review.

Hope this proves useful, feedback is always welcome and thanks for your time.

8 views0 comments
bottom of page