Merge pull request #1 from microsoft/master

Overhaul of reporting and event workbook (#15)

Author: jsuther1974

AaronLocker/CustomizationInputs/TrustedSigners-MsvcMfc.ps1

@@ -194,6 +194,14 @@ ProductName   = "MICROSOFT® VISUAL STUDIO® 2017";
 BinaryName = "VCRUNTIME140.DLL";
 }
 
+@{
+label = "MFC runtime DLL";
+RuleCollection = "Dll";
+PublisherName = "O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US";
+ProductName = "MICROSOFT® VISUAL STUDIO® 2017";
+BinaryName = "MFC140.DLL";
+}
+
 ###########################################################################
 # Visual Studio 10
 ###########################################################################

AaronLocker/CustomizationInputs/TrustedSigners.ps1

@@ -84,6 +84,15 @@ RuleCollection = "Script";
 PublisherName = "O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US";
 }
 
+@{
+# During Windows upgrade, setup loads %OSDRIVE%\$WINDOWS.~BT\SOURCES\GENERALTEL.DLL
+label = "Allow execution of %OSDRIVE%\$WINDOWS.~BT\SOURCES\GENERALTEL.DLL during Windows upgrade";
+RuleCollection = "Dll";
+PublisherName = "O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US";
+ProductName = "MICROSOFT® WINDOWS® OPERATING SYSTEM";
+BinaryName = "GENERALTEL.DLL";
+}
+
 # Uncomment this block if Google Chrome is installed to ProgramFiles.
 # Google Chrome runs some code in the user profile even when Chrome is installed to Program Files.
 # This creates publisher rules that allow those components to run.

AaronLocker/Generate-EventWorkbook.ps1

@@ -33,6 +33,7 @@ See the detailed parameter descriptions for more information.
 
 Output fields:
 
+* Location      high-level indicator of file location, such as "User profile," "Hot/removable," "ProgramData," etc.
 * GenericPath   is the original file path with "%LOCALAPPDATA%" replacing the beginning of the path name
                 if it matches the typical pattern "C:\Users\[username]\AppData\Local".
                 Makes similar replacements for "%APPDATA%" or "%USERPROFILE%" if LOCALAPPDATA isn't applicable.
@@ -133,9 +134,9 @@ Get warning and error events from events exported into ForwardedEvents1.evtx and
 
 .EXAMPLE
 
-.\Get-AppLockerEvents.ps1 -Objects | Where-Object { $_.PublisherName -eq "-" }
+.\Get-AppLockerEvents.ps1 -Objects | Where-Object { $_.PublisherName -eq "[not signed]" }
 
-Get warning and error events from the default AppLocker logs where target file is unsigned (publisher name is "-"). Results are output to the PowerShell pipeline as PSCustomObjects.
+Get warning and error events from the default AppLocker logs where target file is unsigned. Results are output to the PowerShell pipeline as PSCustomObjects.
 
 .EXAMPLE
 
@@ -359,9 +360,9 @@ if ($AllEvents)
 {
     $eventIdFilter = "$ExeDllAllowed or $MsiScriptAllowed or $PkgdAppAllowed or $ExeDllWarning or $MsiScriptWarning or $PkgdAppWarning or $ExeDllError or $MsiScriptError or $PkgdAppError"
 }
-if (($ForwardedEvents -or $EventLogNames) -and !$NoFilteredMachines)
+if (($ForwardedEvents -or $EventLogNames -or $EvtxLogFilePaths) -and !$NoFilteredMachines)
 {
-    # If forwarded events, also pick up subscription bookmark events. (Assume that $EventLogNames implies event collector.)
+    # If forwarded events, also pick up subscription bookmark events. (Assume that $EventLogNames implies event collector, and that $EvtxLogFilePaths might.)
     $eventIdFilter += " or $SubscriptionBkmrk"
 }
 $eventIdFilter = "($eventIdFilter)"
@@ -395,15 +396,20 @@ $PsPolicyTestFileHash2 = "0x96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D693266
     Note: as of 17 June 2019, still seeing both hashes in different environments.
 #>
 
+# Filepath pattern that can be replaced by %PUBLIC%
+$PublicPattern       = "^(%OSDRIVE%|C:)\\Users\\Public\\"
 # Filepath pattern that can be replaced by %LOCALAPPDATA%
 $LocalAppDataPattern = "^(%OSDRIVE%|C:)\\Users\\[^\\]*\\AppData\\Local\\"
 # Filepath pattern that can be replaced by %APPDATA%
 $RoamingAppDataPattern = "^(%OSDRIVE%|C:)\\Users\\[^\\]*\\AppData\\Roaming\\"
 # Filepath pattern that can be replaced by %USERPROFILE% (after the above already done)
 $UserProfilePattern  = "^(%OSDRIVE%|C:)\\Users\\[^\\]*\\"
+# FIlepath pattern that can be replaced by %PROGRAMDATA%
+$ProgramDataPattern  = "^(%OSDRIVE%|C:)\\ProgramData\\"
 
 # Tab-delimited CSV headers
 $headers =
+    "Location"      + "`t" +
     "GenericPath"   + "`t" +
     "GenericDir"    + "`t" +
     "OriginalPath"  + "`t" +
@@ -657,38 +663,80 @@ $oLines = @(
             $userSid = $Properties[1].ToString()
             $username = SidToNameLookup -sid $userSid
             $sPID = $Properties[2].ToString()
-            $pubInfo = $Properties[3].Split("\") # Publisher info, separated with backslashes
+            if ($Properties[3] -eq "-")
+            {
+                $pubName = $sUnsigned
+                $prodName = $binaryName = $filever = [string]::Empty
+            }
+            else
+            {
+                # Break up Fqdn publisher info
+                $pubInfo = $Properties[3].Split("\") # Publisher info, separated with backslashes
+                $pubName = $pubInfo[0]               # Publisher name
+                $prodName = $pubInfo[1]              # Product name (syntax works even if array not this long)
+                $binaryName = $pubInfo[2]            # Original "binary" name (syntax works even if array not this long)
+                $filever = $pubInfo[3]               # File version (syntax works even if array not this long)
+            }
 
             if ($isAppxEvent)
             {
                 $origPath = $Properties[4]
                 $filename = $genpath = $gendir = $origPath
                 $fileext = [string]::Empty
                 $hash = "N/A"
+                $location = "Packaged app"
             }
             else
             {
                 # Already got $origPath earlier
                 $filename = [System.IO.Path]::GetFileName($origPath)
                 $fileext = [System.IO.Path]::GetExtension($origPath)
                 # Generic path replaces user-specific paths with more generic variable syntax.
-                # Userprofile has to be performed after more specific appdata replacements.
-                $genpath = (($origPath -replace $LocalAppDataPattern, "%LOCALAPPDATA%\") -replace $RoamingAppDataPattern, "%APPDATA%\") -replace $UserProfilePattern, "%USERPROFILE%\"
-    $gendir = $null
+                # Userprofile has to be performed after more specific appdata replacements, and Public before then.
+                $genpath = ((((( $origPath                              `
+                    -replace $ProgramDataPattern,    "%PROGRAMDATA%\")  `
+                    -replace $PublicPattern,         "%PUBLIC%\")       `
+                    -replace $LocalAppDataPattern,   "%LOCALAPPDATA%\") `
+                    -replace $RoamingAppDataPattern, "%APPDATA%\")      `
+                    -replace $UserProfilePattern,    "%USERPROFILE%\")
                 $gendir = [System.IO.Path]::GetDirectoryName($genpath)
-    if ($null -eq $gendir)
-    {
-        Write-Host ($_ | fl *) -ForegroundColor Magenta
-    }
+                if ($gendir.StartsWith("%PUBLIC%"))
+                {
+                    $location = "Public profile"
+                }
+                elseif ($gendir.StartsWith("%APPDATA%") -or $gendir.StartsWith("%LOCALAPPDATA%") -or $gendir.StartsWith("%USERPROFILE%"))
+                {
+                    $location = "User profile"
+                }
+                elseif ($gendir.StartsWith("%PROGRAMDATA%"))
+                {
+                    $location = "ProgramData"
+                }
+                elseif ($gendir.StartsWith("%HOT%") -or $gendir.StartsWith("%REMOVABLE%"))
+                {
+                    $location = "Hot/Removable"
+                }
+                elseif ($gendir.StartsWith("\\") -or ($genPath.Substring(1, 2) -eq ":\"))
+                {
+                    $location = "Drive/UNC"
+                }
+                elseif ($gendir.StartsWith("%WINDIR%") -or $gendir.StartsWith("%SYSTEM32%") -or $gendir.StartsWith("%PROGRAMFILES%"))
+                {
+                    $location = "Windir/ProgramFiles"
+                }
+                elseif ($gendir.StartsWith("%OSDRIVE%"))
+                {
+                    $location = "Non-default root"
+                }
+                else
+                {
+                    $location = "Other"
+                }
             }
 
-            # Break up Fqdn publisher info
-            $pubName = $pubInfo[0]                        # Publisher name
-            $prodName = $pubInfo[1]                       # Product name (syntax works even if array not this long)
-            $binaryName = $pubInfo[2]                     # Original "binary" name (syntax works even if array not this long)
-            $filever = $pubInfo[3]                        # File version (syntax works even if array not this long)
-
             # Output tab-delimited CSV (faster to do this and then convert to objects later than to create objects to begin with)
+            # Also, this avoids having dquotes around everything.
+            $location      + "`t" +
             $genpath       + "`t" +
             $gendir        + "`t" +
             $origPath      + "`t" +
@@ -731,6 +779,7 @@ if (!$NoFilteredMachines)
             if (!$ReportedMachines.ContainsKey($machineName))
             {
                 # Output the data as CSV
+                <# Location      #>  "" + "`t" +
                 <# GenericPath   #>  "" + "`t" +
                 <# GenericDir    #>  "" + "`t" +
                 <# OriginalPath  #>  "" + "`t" +
@@ -748,7 +797,7 @@ if (!$NoFilteredMachines)
                 <# EventTime     #>  "" + "`t" +
                 <# EventTimeXL   #>  "" + "`t" +
                 <# PID           #>  "" + "`t" +
-                <# EventType     #>  "FILTERED"
+                <# EventType     #>  $sFiltered
             }
         }
     )

AaronLocker/Get-AppLockerEvents.ps1

@@ -2,6 +2,7 @@
 .SYNOPSIS
 Download Sysinternals accesschk.exe into the parent directory above this script's directory.
 
+TODO: Maybe add an optional target directory.
 TODO: Maybe add a required -AcceptEula switch
 #>
 
@@ -12,4 +13,4 @@ $targetDir = [System.IO.Directory]::GetParent($thisDir).FullName
 Invoke-WebRequest -Uri https://live.sysinternals.com/accesschk.exe -OutFile (Join-Path $targetDir "accesschk.exe")
 #TODO: Verify that Invoke-Request succeeded.
 
-#TODO: Set the LastWriteTime to match
+#TODO: Set the LastWriteTime to match (might need to copy from UNC path instead of https to get that)

AaronLocker/Support/DownloadAccesschk.ps1

@@ -16,8 +16,8 @@ Functions to create Excel spreadsheets/workbooks:
   SaveWorkbook([string]$filename)
   AddNewWorksheet([string]$tabname)
   AddWorksheetFromText([string[]]$text, [string]$tabname)
-  AddWorksheetFromCsvFile([string]$filename, [string]$tabname, [string]$CrLfEncoded)
-  AddWorksheetFromCsvData([string[]]$csv, [string]$tabname, [string]$CrLfEncoded)
+  AddWorksheetFromCsvFile([string]$filename, [string]$tabname, [string]$CrLfEncoded, [switch]$AddChart)
+  AddWorksheetFromCsvData([string[]]$csv, [string]$tabname, [string]$CrLfEncoded, [switch]$AddChart)
   CreateExcelFromCsvFile([string]$filename, [string]$tabname, [string]$CrLfEncoded, [string]$saveAsName)
 
 Function to determine whether a file is a Win32 EXE, a Win32 DLL, or neither
@@ -167,7 +167,7 @@ function AddWorksheetFromText([string[]]$text, [string]$tabname)
 }
 
 # Add a new named worksheet from CSV data in the specified file, optionally replacing encoded CrLf with CrLf.
-function AddWorksheetFromCsvFile([string]$filename, [string]$tabname, [string]$CrLfEncoded)
+function AddWorksheetFromCsvFile([string]$filename, [string]$tabname, [string]$CrLfEncoded, [switch]$AddChart)
 {
     Write-Host "Populating tab `"$tabname`"..." -ForegroundColor Cyan
 
@@ -199,25 +199,29 @@ function AddWorksheetFromCsvFile([string]$filename, [string]$tabname, [string]$C
     $global:ExcelAppInstance.ActiveWindow.SplitColumn = 0
     $global:ExcelAppInstance.ActiveWindow.SplitRow = 1
     $global:ExcelAppInstance.ActiveWindow.FreezePanes = $true
-    $global:ExcelAppInstance.ActiveWindow.Zoom = 80
+    #$global:ExcelAppInstance.ActiveWindow.Zoom = 80
 
     $dummy = $worksheet.Range("A2").Select()
 
     # Formatting: autosize column widths, then set maximum width (except on last column)
-    $maxWidth = 40
+    $maxWidth = 50
     $maxHeight = 120
 
     $dummy = $worksheet.Cells.EntireColumn.AutoFit()
-    $ix = 1
-    # Do this until the next to last column; don't set max width on the last column
-    while ( $worksheet.Cells(1, $ix + 1).Text.Length -gt 0)
+    # Don't set max width if 3 columns or fewer
+    if ($worksheet.UsedRange.Columns.Count -gt 3)
     {
-        $cells = $worksheet.Cells(1, $ix)
-        #Write-Host ($cells.Text + "; " + $cells.ColumnWidth)
-        if ($cells.ColumnWidth -gt $maxWidth) { $cells.ColumnWidth = $maxWidth }
-        $ix++
+        $ix = 1
+        # Do this until the next to last column; don't set max width on the last column
+        while ( $worksheet.Cells(1, $ix + 1).Text.Length -gt 0)
+        {
+            $cells = $worksheet.Cells(1, $ix)
+            #Write-Host ($cells.Text + "; " + $cells.ColumnWidth)
+            if ($cells.ColumnWidth -gt $maxWidth) { $cells.ColumnWidth = $maxWidth }
+            $ix++
+        }
     }
-    
+        
     # Formatting: autosize row heights, then set maximum height (if CrLf replacement on)
     $dummy = $worksheet.Cells.EntireRow.AutoFit()
     # If line breaks added, limit autofit row height to 
@@ -233,20 +237,77 @@ function AddWorksheetFromCsvFile([string]$filename, [string]$tabname, [string]$C
         }
     }
 
+    if ($AddChart)
+    {
+        # If lots of input data, limit number of entries in chart
+        $chartLimit = 20
+
+        $oShape = $worksheet.Shapes.AddChart2(216, 57)
+        # Have to cast from double to single to avoid runtime errors
+        $oShape.Left = [System.Single]($worksheet.Range("D2").Left)
+        $oShape.Top = [System.Single]($worksheet.Range("D2").Top)
+        $oShape.Visible = $true
+
+        $oChartObject = $worksheet.ChartObjects(1)
+        $oChart = $oChartObject.Chart
+        $rowCount = $worksheet.UsedRange.Rows.Count
+        $oChart.ChartTitle.Text = $tabname
+        if ($rowCount -le $chartLimit)
+        {
+            # Use whatever data is there
+            $oChart.SetSourceData($worksheet.UsedRange, 2) # 2 = xlColumns
+        }
+        else
+        {
+            # Build chart from top $chartLimit entries, then sum the rest into "Others"
+            $sSeries1 = [System.Text.StringBuilder]::new()
+            $sSeries2 = [System.Text.StringBuilder]::new()
+            2 .. ($chartLimit+1) | ForEach-Object {
+                if ($_ -gt 2) {
+                    [void]$sSeries1.Append(",")
+                    [void]$sSeries2.Append(",")
+                }
+                [void]$sSeries1.Append("`"" + $worksheet.Range('$A' + $_).Text + "`"")
+                [void]$sSeries2.Append($worksheet.Range('$B' + $_).Text)
+            }
+            [void]$sSeries1.Append(",`"Others`"")
+            [void]$sSeries2.Append("," + $global:ExcelAppInstance.WorksheetFunction.Sum($worksheet.Range('$B' + ($chartLimit+2) + ":B" + $rowCount)))
+            $sSeries =
+                "=SERIES(`"" + $worksheet.Range('$B1').Text + "`"," +
+                "{" + $sSeries1.ToString() + "},{" + $sSeries2.ToString() + "},1)"
+            #Write-Host $sSeries -ForegroundColor Green
+            $oChart.SeriesCollection(1).Formula = $sSeries
+            #$oChart.SetSourceData($worksheet.Range('$A$1:$B$' + ($chartLimit + 1).ToString()), 2) # 2 = xlColumns
+            # $oChart.ChartTitle.Text = "Top " + $chartLimit.ToString() + " " + $tabname
+            $oShape.Height = $oShape.Height * 2
+        }
+
+        $oAxes = $oChart.Axes(1)
+        $oAxes.ReversePlotOrder = $true
+        $oAxes.TickLabelSpacing = 1
+
+        $dummy = $worksheet.Range("A2").Select()
+
+        # Release COM interface references
+        $dummy = [System.Runtime.Interopservices.Marshal]::ReleaseComObject($oAxes)
+        $dummy = [System.Runtime.Interopservices.Marshal]::ReleaseComObject($oChartObject)
+        $dummy = [System.Runtime.Interopservices.Marshal]::ReleaseComObject($oShape)
+    }
+
     # Release COM interface references
     $dummy = [System.Runtime.Interopservices.Marshal]::ReleaseComObject($query)
     $dummy = [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Connector)
     $dummy = [System.Runtime.Interopservices.Marshal]::ReleaseComObject($worksheet)
 }
 
 # Add a new named worksheet from in-memory CSV data (string array), optionally replacing encoded CrLf with CrLf.
-function AddWorksheetFromCsvData([string[]]$csv, [string]$tabname, [string]$CrLfEncoded)
+function AddWorksheetFromCsvData([string[]]$csv, [string]$tabname, [string]$CrLfEncoded, [switch]$AddChart)
 {
     Write-Host "Preparing data for tab `"$tabname`"..." -ForegroundColor Cyan
 
     if ($null -eq $global:ExcelAppInstance) { return $null }
 
-    if ($null -ne $csv)
+    if ($null -ne $csv -and $csv.Length -gt 0)
     {
         $OutputEncodingPrevious = $OutputEncoding
         $OutputEncoding = [System.Text.ASCIIEncoding]::Unicode
@@ -255,7 +316,7 @@ function AddWorksheetFromCsvData([string[]]$csv, [string]$tabname, [string]$CrLf
 
         $csv | Out-File $tempfile -Encoding unicode
 
-        AddWorksheetFromCsvFile -filename $tempfile -tabname $tabname -CrLfEncoded $CrLfEncoded
+        AddWorksheetFromCsvFile -filename $tempfile -tabname $tabname -CrLfEncoded $CrLfEncoded -AddChart:$AddChart
 
         Remove-Item $tempfile
 
@@ -428,3 +489,6 @@ Set-Variable -Name NeverExecutableExts -Option Constant -Value `
     ".zip", ".7z", ".tar",
     ".wav", ".wmv", ".mp3", ".mp4", ".mpg", ".mpeg", ".avi", ".mov"
 
+Set-Variable -Name sNoPublisher -Option Constant -Value "-"
+Set-Variable -Name sUnsigned    -Option Constant -Value "[not signed]"
+Set-Variable -Name sFiltered    -Option Constant -Value "FILTERED"