-
-
Save p0w3rsh3ll/b6770fb4d2ba1519ae2139ad135ffd0b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -RunAsAdministrator | |
#Requires -Version 3.0 | |
#Requires -PSEdition Desktop | |
Function Remove-LocalApplockerPolicyRule { | |
[CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] | |
Param( | |
[ValidateSet('Exe','Script','Msi','Appx','Dll')] | |
[Parameter(Mandatory)] | |
[String]$Type | |
) | |
DynamicParam { | |
$Dictionary = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameterDictionary | |
#region helper function | |
Function New-ParameterAttributCollection { | |
[CmdletBinding()] | |
Param( | |
[Switch]$Mandatory, | |
[Switch]$ValueFromPipeline, | |
[Switch]$ValueFromPipelineByPropertyName, | |
[String]$ParameterSetName, | |
[Parameter()] | |
[ValidateSet( | |
'Arguments','Count','Drive','EnumeratedArguments','Length','NotNull', | |
'NotNullOrEmpty','Pattern','Range','Script','Set','UserDrive' | |
)][string]$ValidateType, | |
[Parameter()] | |
$ValidationContent | |
) | |
Begin { | |
}Process { | |
$c = New-Object System.Collections.ObjectModel.Collection[System.Attribute] | |
$a = New-Object System.Management.Automation.ParameterAttribute | |
if ($Mandatory) { | |
$a.Mandatory = $true | |
} | |
if ($ValueFromPipeline) { | |
$a.ValueFromPipeline = $true | |
} | |
if ($ValueFromPipelineByPropertyName) { | |
$a.ValueFromPipelineByPropertyName=$true | |
} | |
if ($ParameterSetName) { | |
$a.ParameterSetName = $ParameterSetName | |
} | |
$c.Add($a) | |
if ($ValidateType -and $ValidationContent) { | |
try { | |
$c.Add((New-Object "System.Management.Automation.Validate$($ValidateType)Attribute"( | |
$ValidationContent | |
))) | |
} catch { | |
Throw $_ | |
} | |
} | |
$c | |
} | |
End {} | |
} | |
#endregion | |
try { | |
$LocalApplockerPolicyXml = [xml](Get-AppLockerPolicy -Local -Xml -ErrorAction Stop) | |
} catch { | |
Throw 'Failed to read the local Applocker policy into XML' | |
} | |
#region param Rule | |
$Dictionary.Add( | |
'Rule', | |
(New-Object System.Management.Automation.RuntimeDefinedParameter( | |
'Rule', | |
[string], | |
(New-ParameterAttributCollection -Mandatory -ValidateType Set -ValidationContent ( | |
$LocalApplockerPolicyXml.SelectNodes("/AppLockerPolicy/RuleCollection[@Type='$($PSBoundParameters['Type'])']").ChildNodes| ForEach-Object { $_.Name } | |
)) | |
)) | |
) | |
$Dictionary | |
} | |
Begin { | |
} | |
Process { | |
Write-Verbose -Message "Dealing with Rule Collection type: $($PSBoundParameters['Type'])" | |
Write-Verbose -Message "Dealing with Rule Name: $($PSBoundParameters['Rule'])" | |
# Select node | |
$n = $LocalApplockerPolicyXml.SelectNodes("/AppLockerPolicy/RuleCollection[@Type='$($PSBoundParameters['Type'])']").ChildNodes | | |
Where { $_.Name -eq "$($PSBoundParameters['Rule'])" } | |
if ($pscmdlet.ShouldProcess("$($n.OuterXml)", 'Remove rule')) { | |
try { | |
# Remove rule from xml | |
$null = $LocalApplockerPolicyXml.SelectNodes("/AppLockerPolicy/RuleCollection[@Type='$($PSBoundParameters['Type'])']").RemoveChild($n) | |
# Re-apply/import all rules except the removed rule | |
[Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerPolicy]::FromXml($LocalApplockerPolicyXml.outerXML) | | |
Set-AppLockerPolicy -ErrorAction Stop | |
Write-Verbose -Message 'Successfully removed rule, a group policies refresh is required to see the impact of the removed rule' | |
} catch { | |
Throw "Something went wrong while trying to remove the applocker rule: $($_.Exception.Message)" | |
} | |
} | |
} | |
End { | |
} | |
} # endof Remove-LocalApplockerPolicyRule | |
Export-ModuleMember -Function 'Remove-LocalApplockerPolicyRule' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment