/ExtractDriversFromAuditLogs.ps1
Created Nov 26, 2017
| # Create a temp dir in which to copy the drivers to whitelist | |
| mkdir ScanMe | |
| Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -FilterXPath '*[System[EventID=3076]]' | ForEach-Object { | |
| $DriverPath = $_.Properties[1].Value | |
| # Normalize the paths | |
| switch -Wildcard ($DriverPath) { | |
| '\Device\HarddiskVolume4\*' { $DriverPath = "C:\$($DriverPath.Replace('\Device\HarddiskVolume4\', ''))" } | |
| 'System32*' { $DriverPath = "C:\Windows\$DriverPath" } | |
| } | |
| # Copy each driver to the new directory. We'll build the new policy rules from the drivers in here. | |
| Copy-Item -Path $DriverPath -Destination ScanMe | |
| } | |
| # Get the signer info for all the | |
| $NewDrivers = Get-SystemDriver -ScanPath .\ScanMe\ -NoShadowCopy | |
| # Build policy rules based on those drivers | |
| $NewDriverRules = New-CIPolicyRule -DriverFiles $NewDrivers -Level WHQLFilePublisher -Fallback FilePublisher | |
| # Merge the original blank policy with the new one. | |
| Merge-CIPolicy -OutputFilePath WhitelistPolicyDevRound1.xml -PolicyPaths Default_Deny_All_Audit_Drivers.xml -Rules $NewDriverRules | |
| ConvertFrom-CIPolicy -XmlFilePath WhitelistPolicyDevRound1.xml -BinaryFilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment