Rather than continuing to attach zip files to blog posts, I have moved the "AaronLocker" materials, including scripts and documentation, to GitHub: https://github.com/Microsoft/AaronLocker. Among other things, this will make it easier to upload changes as I make them rather than building up a whole package first. I'll continue to post here to announce significant changes, but the materials now have a permanent home instead of whatever the latest blog post URL is.
Changes since the previous version include:
- The generated rule set now includes an inoperative rule that contains the date and time the rule set was generated to help differentiate policy versions, and to associate an in-use policy with a policy rule file with the same timestamp in its filename. You can retrieve this time stamp from the policy even after it has been imported into Group Policy:
- Added Get-AaronLockerTimestamp.ps1 to retrieve the generated timestamp from local policy, effective policy, or a saved policy XML file.
- Added DownloadAccesschk.ps1 to download the current version of AccessChk.exe from Sysinternals.
- Improvements to the workbook produced by Generate-EventWorkbook.ps1 (three user-focused tabs).
- Added -Objects switch to Get-AppLockerEvents.ps1 to output PSCustomObjects instead of CSV.
- Scan-Directories.ps1 produces more data, recognizes additional “default” root directories.
AaronLocker.docx is also on GitHub and explains everything in detail.