WDAC

March 8, 2023
Research
0 Comments
paris

Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net)

GitHub – microsoft/AaronLocker: Robust and practical application control for Windows

Whitelist

Locations only Admins can Write too ( Program Files and PF x86\ WIndows )
Whitelist Publishers

Don’t create Policy Binary ( .cip ) over 350KB of you won’t be able to deploy via Intune!!!!

Update WDAC Audit Logs to Azure Log Analytics –Endpoint Manager and Windows Defender Application Control – stephanvdkruis.com

Endpoint Manager and Windows Defender Application Control – stephanvdkruis.com

Example Windows Defender Application Control (WDAC) base policies (Windows) | Microsoft Learn

Tools

RefreshPolicy.exe download https://www.microsoft.com/en-us/download/details.aspx?id=102925
CiTool ( CiTool is currently included as part of the Windows image in Windows 11 version 22H2. )

Company Portal Whitelisting Managed Apps

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer ( Deploy Default Policy Listed Here ) CANNOT BE DEPLOYED by Custom CSP , have to use powershell!!!! GitHub – ne8801/scripts

WDAC Policy Whitelisting issues with Company Portal
by u/Trigzeee in Intune

https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/#part5

Remove WDAC Policy    
# Set PolicyId GUID to the PolicyId from your WDAC policy XML
    $PolicyId = "{a244370e-44c9-4c06-b551-f6016e563076}"

    # Initialize variables
    $SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}"
    $SinglePolicyFormatFileName = "\SiPolicy.p7b"
    $MountPoint =  $env:SystemDrive+"\EFIMount"
    $SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity"
    $EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot"
    $MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip"

    # Mount the EFI partition
    $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
    if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }
    mountvol $MountPoint $EFIPartition

    # Check if the PolicyId to be removed is the system reserved GUID for single policy format.
    # If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as
    # {GUID}.cip in the CiPolicies\Active subdirectory
    if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}
    
    $Count = 1
    while ($Count -le $NumFilesToDelete) 
    {
           
        # Set the $PolicyPath to the file to be deleted, if exists
        Switch ($Count)
        {
            1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath}
            2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath}
            3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
            4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
        }

        # Delete the policy file from the current $PolicyPath
        Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan
        if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue}

        $Count = $Count + 1
    }

    # Dismount the EFI partition
   mountvol $MountPoint /D

Double check this not being used in Intune

Event ID’s

Windows CodeIntegrity Operational log

Event ID	Explanation
3004	This event isn’t common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required.
3033	This event isn’t common. It often means the file’s signature is revoked or expired. Try using option `20 Enabled:Revoked Expired As Unsigned` in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs.
3034	This event isn’t common. It’s the audit mode equivalent of event 3033 described above.
3076	This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced.
3077	This event is the main Application Control block event for enforced policies. It indicates that the file didn’t pass your policy and was blocked.
3089	This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the `Correlation ActivityID` found in the System portion of the event.
3099	Indicates that a policy has been loaded. This event also includes information about the Application Control policy options that were specified by the policy.

Example Policy

https://github.com/pariswells/public-code/blob/master/WDAC.xml

(No Ratings Yet)