-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WDACConfig v0.3.9 #250
Draft
HotCakeX
wants to merge
57
commits into
main
Choose a base branch
from
WDACConfig-v0.3.9
base: main
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
WDACConfig v0.3.9 #250
+2,111
−3,556
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added new cmdlet for secure settings verification and overhauled the New-WDACConfig
HotCakeX
force-pushed
the
WDACConfig-v0.3.9
branch
from
May 24, 2024 13:36
a9e93f9
to
da1e5f1
Compare
…n-Windows-Security into WDACConfig-v0.3.9
Implemented SHA3-512 Hash support
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's New
This is by far the biggest update to the WDACConfig module. It brings a lot of new features, improvements, and changes to the cmdlets. The main focus of this update is to make the workflow of the cmdlets more user-friendly, faster, and more efficient. The cmdlets are now more autonomous and less dependent on the native ConfigCI module. There are some inevitable breaking changes along with new features and improvements that are all listed below.
Cmdlet Changes
Edit-WDACConfig and Edit-SignedWDACConfig
Removed
-AllowNewAppsAuditEvents
parameters from both cmdlets, its job has been merged with-AllowNewApps
parameter. This simplifies the workflow as you no longer have to make a decision between which parameter to use when you need to allow apps or files.The
-AllowNewApps
parameter now automatically detects the files run during audit mode from event logs and display them to you in a GUI, offering you the option to include them in the supplemental policy by providing comprehensive details about every detected file and empowering you to make informed decision about them. It also checks for kernel-protected files in the logs you select, such as the main executable of the Xbox games, and allows them in the supplemental policy based on PFN (Package Family Name).The SnapBack security mechanism is triggered sooner, restoring the base policy that is in audit mode back to enforced mode as soon as possible.
Using parallel processing methods, the workflow of the cmdlet has been optimized for faster execution.
You can now use the
-AllowNewApps
parameter either by selecting directories to scan, purely rely on audit event logs or both. Previously, the workflow would require you to select directories to scan and would fail otherwise. Now you can solely rely on audit event logs to allow new apps or files, or if you want to allow a new file but you don't know its exact location.The
-UpdateBasePolicy
parameter has been upgraded. It now intelligently increases the version number of the base policy, ensuring that the new version is always one version higher than the previous one. The version change considers all semantic versioning rules such as revision, build, minor and major numbers and their maximum allowed values.Set-CiRuleOptions
It's a new cmdlet, consider it an improved version of the built-in cmdlet
Set-RuleOption
. It offers more features and improvements such as removing or adding rules at the same time in bulk.Completely internalized policy rule option modifications, no longer using built-in cmdlets. This change results in much faster policy creation.
New-WDACConfig
Complete Overhaul
All of this cmdlets's parameters have been replaced with more user-friendly and efficient ones. No functionality has been lost. The goal is to offer the end-user the ability to quickly and easily choose the desired settings with 0 ambiguity. As a result, the following changes have been made:
Removed the
-MakePolicyFromAuditLogs
parameter from the cmdlet. Its job can now be done with the-AllowNewApps
parameter in theEdit-WDACConfig
andEdit-SignedWDACConfig
cmdlets, or by the New-SupplementalWDACConfig cmdlet.New parameter
-PolicyType
: Use it to create base policies, it offers 3 options: 'DefaultWindows', 'AllowMicrosoft', 'SignedAndReputable'.New parameter
-GetUserModeBlockRules
: Use it to download or deploy the latest User Mode Block rules from the Microsoft GitHub repository. The User Mode block rules are no longer coupled with the base policy, they are now deployed as a standalone policy separately, offering greater control over them and their life cycle. This is due to the fact that Windows no longer has a limit on how many WDAC policies can be deployed on the system. Previously the limit was 32 policies.New parameter
-GetDriverBlockRules
: Use it to download or deploy the latest Kernel Mode drivers Block rules from the Microsoft website.New parameter
-Audit
: Used to turn on audit mode in the base policy. Only available when-PolicyType
parameter is used.New parameter
-AutoUpdate
: Only available when-GetDriverBlockRules
parameter is used. It will automatically update the driver block rules when a new version is available using scheduled task.Get-CIPolicySetting
Gets the secure settings value from the deployed CI policies using the Windows APIs.
Refer to the following documents for more info:
Confirm-WDACConfig
OnlySystemPolicies
: It will display only the system policies when used.Assert-WDACConfigIntegrity
Other Changes
This latest update significantly reduces the dependency on the native ConfigCI module, marking a progressive stride towards complete autonomy. The goal is to eventually attain total self-reliance in forthcoming updates.
The ConvertTo-WDACPolicy cmdlet when using local logs as the source, has become faster using high performance functions.
Kernel-protected files are now faster to detect and rules for them are created in better ways.
Sub-modules in each cmdlet are now loader faster.
Cmdlet outputs are now more streamlined and consistent.
During the module preload phase, certain immutable global variables are established, remaining unalterable for the duration of the session. Previously, these variables were instantiated only if they did not already exist within the session's scope with the same name. Now, the values of these pre-existing variables are scrutinized against those defined within the module. Should a discrepancy arise, an error is triggered. This rigorous validation mechanism ensures the integrity of critical variables, safeguarding them from any potential malicious alterations prior to the module's loading.