{"id":6733,"date":"2023-03-08T22:56:28","date_gmt":"2023-03-08T22:56:28","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=6733"},"modified":"2024-07-30T07:18:04","modified_gmt":"2024-07-30T07:18:04","slug":"wdac","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/wdac","title":{"rendered":"WDAC"},"content":{"rendered":"\n<p>Baseline Wizard : <a href=\"https:\/\/webapp-wdac-wizard.azurewebsites.net\/\">Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net)<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/microsoft\/AaronLocker\">GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows<\/a><\/p>\n\n\n\n<p><strong>Whitelist <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Locations only Admins can Write too ( Program Files and PF x86\\ WIndows ) <\/li>\n\n\n\n<li>Whitelist Publishers<\/li>\n\n\n\n<li>Enable 18 &#8211;<a href=\" https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create\"> https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/windows-defender-application-control\/design\/select-types-of-rules-to-create<\/a><\/li>\n<\/ul>\n\n\n\n<p>Advanced Hunting Defender to find Apps running outside if Allow List <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">DeviceProcessEvents\n| where FolderPath !contains \"Program Files\"\n| where FolderPath !contains \"Onedrive\"\n| where FolderPath !contains \"Teams\"\n| where FolderPath !contains \"C:\\\\Windows\\\\\"\n| where FolderPath !contains \"C:\\\\WindowsAzure\\\\\"\n| where FolderPath !contains \"C:\\\\programdata\\\\\"\n| where FileName contains \".exe\"\n| where ProcessCommandLine contains \".exe\"<\/code><\/pre>\n\n\n\n<p><strong>Don&#8217;t create Policy Binary ( .cip ) over 350KB of you won&#8217;t be able to deploy via Intune!!!!<\/strong><\/p>\n\n\n\n<p>Update WDAC Audit Logs to Azure Log Analytics &#8211;<a href=\"https:\/\/stephanvdkruis.com\/2021\/02\/endpoint-manager-and-windows-defender-application-control\/\">Endpoint Manager and Windows Defender Application Control \u2013 stephanvdkruis.com<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.stephanvdkruis.com\/2021\/02\/endpoint-manager-and-windows-defender-application-control\/\">Endpoint Manager and Windows Defender Application Control \u2013 stephanvdkruis.com<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-gb\/windows\/security\/threat-protection\/windows-defender-application-control\/example-wdac-base-policies\">Example Windows Defender Application Control (WDAC) base policies (Windows) | Microsoft Learn<\/a><\/p>\n\n\n\n<p><strong>Tools<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RefreshPolicy.exe download  <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=102925\">https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=102925<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-application-control\/operations\/citool-commands\" title=\"CiTool&nbsp;\">CiTool&nbsp;<\/a>( CiTool is currently included as part of the Windows image in Windows 11 version 22H2. ) <\/li>\n<\/ul>\n\n\n\n<p><strong>Company Portal Whitelisting Managed Apps<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-application-control\/configure-authorized-apps-deployed-with-a-managed-installer\">https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-application-control\/configure-authorized-apps-deployed-with-a-managed-installer<\/a> ( Deploy Default Policy Listed Here ) CANNOT BE DEPLOYED by Custom CSP , have to use powershell!!!! <a href=\"https:\/\/github.com\/ne8801\/scripts\">GitHub &#8211; ne8801\/scripts<\/a><\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-reddit wp-block-embed-reddit\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"reddit-embed-bq\" style=\"height:316px\" ><a href=\"https:\/\/www.reddit.com\/r\/Intune\/comments\/tyxgq8\/wdac_policy_whitelisting_issues_with_company\/\">WDAC Policy Whitelisting issues with Company Portal<\/a><br> by<a href=\"https:\/\/www.reddit.com\/user\/Trigzeee\/\">u\/Trigzeee<\/a> in<a href=\"https:\/\/www.reddit.com\/r\/Intune\/\">Intune<\/a><\/blockquote><script async src=\"https:\/\/embed.reddit.com\/widgets.js\" charset=\"UTF-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-call-4-cloud-intune-mmp-c-windc-autopilot wp-block-embed-call-4-cloud-intune-mmp-c-windc-autopilot\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/call4cloud.nl\/2021\/06\/wdac-or-the-unexpected-virtue-of-ignorance\/#part5\n<\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">Remove WDAC Policy    \n# Set PolicyId GUID to the PolicyId from your WDAC policy XML\n    $PolicyId = \"{a244370e-44c9-4c06-b551-f6016e563076}\"\n\n    # Initialize variables\n    $SinglePolicyFormatPolicyId = \"{A244370E-44C9-4C06-B551-F6016E563076}\"\n    $SinglePolicyFormatFileName = \"\\SiPolicy.p7b\"\n    $MountPoint =  $env:SystemDrive+\"\\EFIMount\"\n    $SystemCodeIntegrityFolderRoot = $env:windir+\"\\System32\\CodeIntegrity\"\n    $EFICodeIntegrityFolderRoot = $MountPoint+\"\\EFI\\Microsoft\\Boot\"\n    $MultiplePolicyFilePath = \"\\CiPolicies\\Active\\\"+$PolicyId+\".cip\"\n\n    # Mount the EFI partition\n    $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]\n    if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }\n    mountvol $MountPoint $EFIPartition\n\n    # Check if the PolicyId to be removed is the system reserved GUID for single policy format.\n    # If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as\n    # {GUID}.cip in the CiPolicies\\Active subdirectory\n    if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}\n    \n    $Count = 1\n    while ($Count -le $NumFilesToDelete) \n    {\n           \n        # Set the $PolicyPath to the file to be deleted, if exists\n        Switch ($Count)\n        {\n            1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath}\n            2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath}\n            3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName}\n            4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName}\n        }\n\n        # Delete the policy file from the current $PolicyPath\n        Write-Host \"Attempting to remove $PolicyPath...\" -ForegroundColor Cyan\n        if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue}\n\n        $Count = $Count + 1\n    }\n\n    # Dismount the EFI partition\n   mountvol $MountPoint \/D<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>Double check this not being used in Intune<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15.png\"><img loading=\"lazy\" decoding=\"async\" width=\"835\" height=\"148\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15.png\" alt=\"\" class=\"wp-image-6824 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15.png 835w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15-300x53.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-15-768x136.png 768w\" sizes=\"auto, (max-width: 835px) 100vw, 835px\" \/><\/a><\/figure>\n\n\n\n<p>Event ID&#8217;s<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-16.png\"><img loading=\"lazy\" decoding=\"async\" width=\"365\" height=\"357\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-16.png\" alt=\"\" class=\"wp-image-8149 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-16.png 365w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/03\/image-16-300x293.png 300w\" sizes=\"auto, (max-width: 365px) 100vw, 365px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"windows-codeintegrity-operational-log\">Windows CodeIntegrity Operational log<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Event ID<\/th><th>Explanation<\/th><\/tr><\/thead><tbody><tr><td>3004<\/td><td>This event isn&#8217;t common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required.<\/td><\/tr><tr><td>3033<\/td><td>This event isn&#8217;t common. It often means the file&#8217;s signature is revoked or expired. Try using option&nbsp;<code>20 Enabled:Revoked Expired As Unsigned<\/code>&nbsp;in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs.<\/td><\/tr><tr><td>3034<\/td><td>This event isn&#8217;t common. It&#8217;s the audit mode equivalent of event 3033 described above.<\/td><\/tr><tr><td>3076<\/td><td>This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced.<\/td><\/tr><tr><td>3077<\/td><td>This event is the main Application Control block event for enforced policies. It indicates that the file didn&#8217;t pass your policy and was blocked.<\/td><\/tr><tr><td>3089<\/td><td>This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the&nbsp;<code>Correlation ActivityID<\/code>&nbsp;found in the&nbsp;<strong>System<\/strong>&nbsp;portion of the event.<\/td><\/tr><tr><td>3099<\/td><td>Indicates that a policy has been loaded. This event also includes information about the Application Control policy options that were specified by the policy.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Example Policy<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/pariswells\/public-code\/blob\/master\/WDAC.xml\">https:\/\/github.com\/pariswells\/public-code\/blob\/master\/WDAC.xml<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Baseline Wizard : Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net) GitHub \u2013 microsoft\/AaronLocker: Robust and practical application control for Windows Whitelist Advanced Hunting Defender to find Apps running outside if [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4193,4192],"class_list":["post-6733","post","type-post","status-publish","format-standard","hentry","category-research","tag-wdac","tag-windows-defender-application-control"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6733"}],"version-history":[{"count":16,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6733\/revisions"}],"predecessor-version":[{"id":8166,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6733\/revisions\/8166"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}