Hi All,
I have an issue which I can't find a proper solution for. I'm using AppLocker in an environment which also contains a SIEM solution. What I want to forward to the SIEM solution is 'blocked applications by AppLocker'. The issue is that I don't have enough
information from the standard events. There's a filename, location etc. but what I really would like is a hash of the file which is blocked. So if mimikatz is renamed to client.exe and run in C:\Temp I can use the hash to see if it's malicious.
There's an "audit-mode" option in AppLocker which logs the fileHash, but then it doesn't block the application since it's auditing only. I can't create two GPO's which one GPO is set to enforced and the other to audit, because enforced takes precedence over
the audit and no audit gets logged.
How do I get the hash of the file and AppLocker to work at the same time?
I know the "fileHash" property in AppLocker is an Authenticode Hash of the file and I can't get my head around why Microsoft doesn't log a SHA
hash for every blocked application.
With kind regards,
AvanadeR
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
