Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save ConsciousHacker/be4deaaff9fe260179ac9addd7da8012 to your computer and use it in GitHub Desktop.
Save ConsciousHacker/be4deaaff9fe260179ac9addd7da8012 to your computer and use it in GitHub Desktop.
Restrictive (with caveats) WDAC Policy for research purposes
Write-Host "
*Deploy an Enforced 'Scan' Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI)
*Focus: Permit signed applications at the PCACertificate level (e.g. Microsoft signed).
*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with a scan policy
*System reboots when PowerShell script finishes
*Run as a privileged user in high integrity
*To remove enforcement, comment out enforce line
*Note: The scan may take a few hours.
[*] Press any key to continue
[Console]::ReadKey() | Out-Null
# Download Block Rules Page:
$blockPage = Invoke-WebRequest -Uri
# Get Block Rules Policy:
$blockRules = $blockPage.RawContent -split '```xml'
$blockRules = $blockRules[1] -split '```'
$blockRules = $blockRules[0]
# Remove Universal Allow Statements:
$blockRules = $blockRules -replace ('<Allow ID="ID_ALLOW_A_1" FriendlyName="Allow Kernel Drivers" FileName="*" />', '')
$blockRules = $blockRules -replace ('<Allow ID="ID_ALLOW_A_2" FriendlyName="Allow User mode components" FileName="*" />', '')
$blockRules = $blockRules -replace ('<FileRuleRef RuleID="ID_ALLOW_A_1" />', '')
$blockRules = $blockRules -replace ('<FileRuleRef RuleID="ID_ALLOW_A_2" />', '')
$blockRules = $blockRules.Trim("`r","`n")
# Save Block Rules:
Set-Content -Path C:\Windows\System32\CodeIntegrity\BlockRules.xml -Value $blockRules
# Create New Scan Policy
New-CIPolicy -Level PcaCertificate -FilePath C:\Windows\System32\CodeIntegrity\InitialScan.xml –UserPEs
# Merge Block Rules Policy with the Scan Policy:
Merge-CIPolicy -PolicyPaths C:\Windows\System32\CodeIntegrity\InitialScan.xml,C:\Windows\System32\CodeIntegrity\BlockRules.xml -OutputFilePath C:\Windows\System32\CodeIntegrity\Merged.xml
# Set the Merged Policy to Enforce Rules (Delete Audit Mode):
Set-RuleOption -FilePath C:\Windows\System32\CodeIntegrity\Merged.xml -Option 3 -Delete
# Convert Policy to Binary Format:
ConvertFrom-CIPolicy -XmlFilePath C:\Windows\System32\CodeIntegrity\Merged.xml -BinaryFilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
#Reboot the Machine
Write-Host "[*] Press any key to reboot the machine"
[Console]::ReadKey() | Out-Null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment