Last active
May 17, 2024 01:05
-
-
Save bohops/148375490c5ead713ed8a433b466182f to your computer and use it in GitHub Desktop.
Restrictive (with caveats) WDAC Policy for research purposes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host " | |
| ============================================================================================================================== | |
| *Deploy an Enforced 'Scan' Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI) | |
| *Focus: Permit signed applications at the PCACertificate level (e.g. Microsoft signed). | |
| *For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with a scan policy | |
| *System reboots when PowerShell script finishes | |
| *Run as a privileged user in high integrity | |
| *To remove enforcement, comment out enforce line | |
| *Note: The scan may take a few hours. | |
| ============================================================================================================================== | |
| [*] Press any key to continue | |
| " | |
| [Console]::ReadKey() | Out-Null | |
| # Download Block Rules Page: | |
| $blockPage = Invoke-WebRequest -Uri https://raw.githubusercontent.com/MicrosoftDocs/windows-itpro-docs/0008c5fb3b4fa93b22adc5393d77e463c46a8265/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md | |
| # Get Block Rules Policy: | |
| $blockRules = $blockPage.RawContent -split '```xml' | |
| $blockRules = $blockRules[1] -split '```' | |
| $blockRules = $blockRules[0] | |
| # Remove Universal Allow Statements: | |
| $blockRules = $blockRules -replace ('<Allow ID="ID_ALLOW_A_1" FriendlyName="Allow Kernel Drivers" FileName="*" />', '') | |
| $blockRules = $blockRules -replace ('<Allow ID="ID_ALLOW_A_2" FriendlyName="Allow User mode components" FileName="*" />', '') | |
| $blockRules = $blockRules -replace ('<FileRuleRef RuleID="ID_ALLOW_A_1" />', '') | |
| $blockRules = $blockRules -replace ('<FileRuleRef RuleID="ID_ALLOW_A_2" />', '') | |
| $blockRules = $blockRules.Trim("`r","`n") | |
| # Save Block Rules: | |
| Set-Content -Path C:\Windows\System32\CodeIntegrity\BlockRules.xml -Value $blockRules | |
| # Create New Scan Policy | |
| New-CIPolicy -Level PcaCertificate -FilePath C:\Windows\System32\CodeIntegrity\InitialScan.xml -UserPEs | |
| # Merge Block Rules Policy with the Scan Policy: | |
| Merge-CIPolicy -PolicyPaths C:\Windows\System32\CodeIntegrity\InitialScan.xml,C:\Windows\System32\CodeIntegrity\BlockRules.xml -OutputFilePath C:\Windows\System32\CodeIntegrity\Merged.xml | |
| # Set the Merged Policy to Enforce Rules (Delete Audit Mode): | |
| Set-RuleOption -FilePath C:\Windows\System32\CodeIntegrity\Merged.xml -Option 3 -Delete | |
| # Convert Policy to Binary Format: | |
| ConvertFrom-CIPolicy -XmlFilePath C:\Windows\System32\CodeIntegrity\Merged.xml -BinaryFilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b | |
| #Reboot the Machine | |
| Write-Host "[*] Press any key to reboot the machine" | |
| [Console]::ReadKey() | Out-Null | |
| Restart-Computer |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment