WDAC

Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net)

GitHub – microsoft/AaronLocker: Robust and practical application control for Windows

Whitelist

Advanced Hunting Defender to find Apps running outside if Allow List

DeviceProcessEvents
| where FolderPath !contains "Program Files"
| where FolderPath !contains "Onedrive"
| where FolderPath !contains "Teams"
| where FolderPath !contains "C:\\Windows\\"
| where FolderPath !contains "C:\\WindowsAzure\\"
| where FolderPath !contains "C:\\programdata\\"
| where FileName contains ".exe"
| where ProcessCommandLine contains ".exe"

Don’t create Policy Binary ( .cip ) over 350KB of you won’t be able to deploy via Intune!!!!

Update WDAC Audit Logs to Azure Log Analytics –Endpoint Manager and Windows Defender Application Control – stephanvdkruis.com

Endpoint Manager and Windows Defender Application Control – stephanvdkruis.com

Example Windows Defender Application Control (WDAC) base policies (Windows) | Microsoft Learn

Tools

Company Portal Whitelisting Managed Apps

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer ( Deploy Default Policy Listed Here ) CANNOT BE DEPLOYED by Custom CSP , have to use powershell!!!! GitHub – ne8801/scripts

https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/#part5
Remove WDAC Policy    
# Set PolicyId GUID to the PolicyId from your WDAC policy XML
    $PolicyId = "{a244370e-44c9-4c06-b551-f6016e563076}"

    # Initialize variables
    $SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}"
    $SinglePolicyFormatFileName = "\SiPolicy.p7b"
    $MountPoint =  $env:SystemDrive+"\EFIMount"
    $SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity"
    $EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot"
    $MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip"

    # Mount the EFI partition
    $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
    if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }
    mountvol $MountPoint $EFIPartition

    # Check if the PolicyId to be removed is the system reserved GUID for single policy format.
    # If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as
    # {GUID}.cip in the CiPolicies\Active subdirectory
    if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}
    
    $Count = 1
    while ($Count -le $NumFilesToDelete) 
    {
           
        # Set the $PolicyPath to the file to be deleted, if exists
        Switch ($Count)
        {
            1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath}
            2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath}
            3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
            4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
        }

        # Delete the policy file from the current $PolicyPath
        Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan
        if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue}

        $Count = $Count + 1
    }

    # Dismount the EFI partition
   mountvol $MountPoint /D

Double check this not being used in Intune

Event ID’s

Windows CodeIntegrity Operational log

Event IDExplanation
3004This event isn’t common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required.
3033This event isn’t common. It often means the file’s signature is revoked or expired. Try using option 20 Enabled:Revoked Expired As Unsigned in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs.
3034This event isn’t common. It’s the audit mode equivalent of event 3033 described above.
3076This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced.
3077This event is the main Application Control block event for enforced policies. It indicates that the file didn’t pass your policy and was blocked.
3089This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the Correlation ActivityID found in the System portion of the event.
3099Indicates that a policy has been loaded. This event also includes information about the Application Control policy options that were specified by the policy.

Example Policy

https://github.com/pariswells/public-code/blob/master/WDAC.xml

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...