Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WDACConfig v0.3.6 #218

Merged
merged 69 commits into from
Apr 16, 2024
Merged

WDACConfig v0.3.6 #218

merged 69 commits into from
Apr 16, 2024

Conversation

HotCakeX
Copy link
Owner

@HotCakeX HotCakeX commented Mar 21, 2024
edited
Loading

What's New

Microsoft Defender for Endpoint - Advanced Hunting

You can now use the WDACConfig module to convert the Microsoft Defender for Endpoint (MDE) Advanced Hunting query results directly to Application Control policy (WDAC) policy in a matter of seconds with high precision and performance.

Demo Video

MDE AH Demo

The systematic approach to converting the query results to WDAC policy is as follows:

  • If a file is unsigned then a hash rule will be created for it.
  • If a file is signed then there are multiple possibilities:
    • If the file is signed and the MDE AH results contain the file's version as well as at least one of the following file attributes (Original Name, Internal Name, Description, Product Name), then a File Publisher rule will be created for it.
    • If the file is signed but the file attributes are not present in the results, Publisher level rule will be created for it.

These levels are selected based on their security. You can read more about the levels security comparison in this article.


Simple Yet Comprehensive

What WDACConfig requires for MDE Advanced Hunting

DeviceEvents
| where ActionType startswith "AppControlCodeIntegrity"
    or ActionType startswith "AppControlCIScriptBlocked"
    or ActionType startswith "AppControlCIScriptAudited"

As you can see, the WDACConfig module encapsulates all requisite logic, enabling the employment of heightened security levels for files, notably the FilePublisher. It assimilates comprehensive data, utilizing the maximum extent of available information to formulate the most precise and tailored rule for each individual file.


Comparison

Supported Features WDACConfig WDAC Wizard
Log types Code Integrity + AppLocker Code Integrity
Generated Rules File Publisher, Publisher, Leaf Certificate, Hash Publisher, Hash
Requires Custom CSV Formatting No - Accepts RAW data Yes
Required Query Size Small Large

Important

WDAC Wizard is a great tool, it offers a GUI and can be downloaded from here


Other Changes

@HotCakeX
XMLOps functions for MDE Advanced Hunting
30be0f1 
The following functions are for parsing, generating, optimizing and finalizing WDAC policy from Microsoft Defender for Endpoint - Advanced Hunting exported results
@HotCakeX HotCakeX added the Enhancement 💯 New feature or request label Mar 21, 2024
@HotCakeX HotCakeX self-assigned this Mar 21, 2024
@HotCakeX HotCakeX marked this pull request as ready for review March 21, 2024 23:46
@HotCakeX HotCakeX linked an issue Apr 4, 2024 that may be closed by this pull request
[WDACConfig] WDACSimulation should handle inaccessible files properly #225
Closed
@HotCakeX
Merge branch 'main' into WDACConfig-v0.3.6
63e4cf3
@HotCakeX
Merge branch 'main' into WDACConfig-v0.3.6
193aa83
@HotCakeX
Merge branch 'main' into WDACConfig-v0.3.6
fbca38e
@HotCakeX
Merge branch 'main' into WDACConfig-v0.3.6
f64aaf7
@HotCakeX
version bump
986f210
@HotCakeX
Added XML based help in preparation for dynamic parameters
fb6d132
@HotCakeX
Update Invoke-WDACConfig.ps1
9b8be4d
@HotCakeX
Added new help files to the module manifest
c7220ac
@HotCakeX
Replaced traditional help with advanced XML based help
25cdb2a
@HotCakeX
Updated syntaxes for the cmdlet
aeb9dd9
@HotCakeX
Added custom syntax for dynamic parameters
6e52fa7
@HotCakeX
Added aliases to the ConvertTo-WDACPolicy cmdlet's params
3ffc8cf
@HotCakeX
Update ConvertTo-WDACPolicy.md
9afe59e
@HotCakeX
Prepping to add MDE AH support to the cmdlet
c426c38
@HotCakeX
Performance improvements of log parsing
75a8336
@HotCakeX
Update ConvertTo-WDACPolicy.psm1
f11b1e6
@HotCakeX
Added support for AppLocker events
443715b
@HotCakeX
Update Receive-CodeIntegrityLogs.psm1
813f301
@HotCakeX
Merge branch 'main' into WDACConfig-v0.3.6
88247cc
@HotCakeX
Update PSDefaultParameterValues.ps1
f6e4880
@HotCakeX
Added XML Ops functions to the manifest
c40effa
@HotCakeX
improved function
a378bd3
@HotCakeX
Update Build-SignerAndHashObjects.psm1
1b1a19f
@HotCakeX
implemented more checks for edge cases
cb20321
@HotCakeX
Continuing with the full implementation of MDE AH
1e3ae95
@HotCakeX
comment and param improvements
7965e35
@HotCakeX
Implemented MDE AH logs filtering based on time
b328c60
@HotCakeX
Update ConvertTo-WDACPolicy.psm1
1ebf7b6
@HotCakeX
Added final policy tasks
551bbbc
@HotCakeX
Merge branch 'main' into WDACConfig-v0.3.6
e6cbaa2
@HotCakeX
Merge branch 'main' into WDACConfig-v0.3.6
bf0e289
@HotCakeX
Added MDE AH filter by policy names
8f7c3ec
@HotCakeX
improved function help section
d6a7648
@HotCakeX
function help improvements
8514fc0
@HotCakeX
improved help files
39ad47b
@HotCakeX
updated help files
2d4445a
@HotCakeX
increased required PowerShell version
76af38c 
Because WDAC related improvements have been added in this version

https://github.com/PowerShell/PowerShell/releases/tag/v7.4.2
@HotCakeX
Added log filtering based on type
3cedb99
@HotCakeX
Updated signatures and hashes
b9e5ed7
@HotCakeX
Handling inaccessible files during the simulation
3c00d45 
Fixed this issue regarding inaccessible files during WDAC Simulation. They are not handled properly and no longer stopping the execution flow.

#225
@HotCakeX
Update Compare-SignerAndCertificate.psm1
8f8b079
@HotCakeX
signature update
429017f
@HotCakeX
WDAC Simulation accuracy improvement
f4150c4
@HotCakeX
Update Compare-SignerAndCertificate.psm1
1787099
@HotCakeX
Update Invoke-WDACConfig.ps1
4890e58
@HotCakeX
improved a comment
3d29e0a
@HotCakeX
improved some verbose messages
e54bc14
@HotCakeX HotCakeX merged commit 5e32834 into main Apr 16, 2024
2 checks passed
@HotCakeX HotCakeX deleted the WDACConfig-v0.3.6 branch April 16, 2024 19:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@HotCakeX HotCakeX

Labels
Enhancement 💯 New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[WDACConfig] WDACSimulation should handle inaccessible files properly
1 participant
@HotCakeX