Get-WinEvent cmdlet tip to filter noise

I’ve been using Windows 10 and Applocker in ‘Allow mode’ for some time and I need to filter the noise left by the Constrained Mode from the event log.

Windows 10 and PowerShell 5.x introduce a way to protect the interactive shell from copy/paste. If you configure Applocker in ‘Allow mode’ (don’t use default rules when proposed by the GUI), your interactive shell starts in a different LanguageMode named ‘Constrained mode’. Want to read more, start with PowerShell ♥ the Blue Team and about_Language_Modes.

Here’s a quick demo in a picture is worth a thousand words:

Although I’m running an interactive shell with administrative privileges, I cannot use the ToXML() method. I get the symptomatic error message Cannot invoke method. Method invocation is supported only on core types in this language mode.

What’s the challenge here?
It should work in constrained mode and I should figure out the correct XML query 🙄

In other words, I need to find 8007 events from the ‘Microsoft-Windows-AppLocker/MSI and Script’ event log but not those that have the filehash (SHA256) set to: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
This hash is well known, it’s a file with only 1 as content.

Here’s the tip:

Get-WinEvent -FilterXml @'
<QueryList>
<Query Id="0" Path="Microsoft-Windows-AppLocker/MSI and Script">
<Select Path="Microsoft-Windows-AppLocker/MSI and Script">
*[System[(EventID=8007)]]
and
*[UserData[RuleAndFileData[(FileHash!="6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B")]]]
</Select>
</Query>
</QueryList>
'@ -MaxEvents 1

Bonus:
If you use the GUI, you can copy/paste the above XML query in the eventvwr

7 thoughts on “Get-WinEvent cmdlet tip to filter noise

  1. Pingback: Dew Drop - April 12, 2018 (#2703) - Morning Dew

  2. Hi, can it be, that *[UserData[RuleAndFileData[(FileHash!=”6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B”)]]]
    no more exist? The Result isn’t as expected.

    Regards
    Stephan

    • Hi,
      The XML query is still valid. Microsoft changed what’s written inside the temporary .ps1 and psm1 files. It’s a timestamp and the resulting thumbprint of the files will vary.
      It means that you need another way to get rid of the noise. XPath is also limited. The only option is to use filtering on the right with the Where-Object cmdlet and the match operator.

      • It ist correct but the Powershell Constrained Langaue Policy Testfiles not. These Files has every Time the Same FileHash.
        6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        I have tested this Script upper and only the FileHash Attribut isn’t proper or the Result isnt expected.
        Tested On Windows 10 1909

      • That’s right. However, it is different for the PolicyTestfiles. These always have the same two FileHash values.
        I have tested the above script on windows 10 1909. It returns the expected filtered results for all user attributes. Only not for the hash values. These always seem to have no content

  3. The result should actually become a query of the forwarded event, in which the two hash values are excluded

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.