WDACConfig Module Update v0.4.1 #284
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For improved performance moved some PowerShell code to native C#, this reduces overhead and makes things faster in general
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
HotCakeX
requested review from
github-advanced-security
and removed request for
github-advanced-security
PS Class conversion to C#
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's New
Added support for WHQLFilePublisher, WHQLPublisher, WHQL and FilePath levels to the WDAC Simulation. If you want to read more about the levels check out this article.
Lots of performance improvements and optimizations in pretty much every component of the WDACConfig module to make it faster.
WDAC Simulation's logic has been substantially improved under the hood for faster and completely different mechanism that unlocks all Application Control levels to be verifiable through the simulation engine.
WDAC Simulation now supports parallelism. You can set the number of parallel threads between 1 which is minimum, and the number of your CPU cores which is the maximum. With this improvement, you can perform WDAC Simulation on the entire C drive in only a few minutes.
Laid the groundwork for the future GUI implementation in the WDACConfig module.
When deploying signed policies, before attempting to download the SignTool.exe from the official Microsoft Nuget repository, the module now checks whether Nuget exists as a package source on the system (which should be by default) and if it isn't, it will add it.
When using the New-KernelModeWDACConfig to deploy a strict kernel mode WDAC policy with no flight root signers (which is not the default behavior and you have to go out of your way to choose that option), the module now performs a WDAC simulation on the Windows Kernel to ensure your current OS version does not belong to Dev/Canary insider channels, to prevent from deploying a policy that could render the system unusable.
Lots of PowerShell code have been converted to native C# code for improved agility, future use-cases and being able to directly utilize Windows APIs.
Since Windows no longer has a cap on the number of the WDAC policies that can be deployed, many components of the module have been updated to handle large number of deployed policies.
The module's startup time has been substantially improved, now the parameter suggestions and arguments are loaded at least x3 times faster than before.
Removed the self-signed certificate details from the module files as most of them are converted to C# and
.csfiles don't support Authenticode signature. The best way to verify the integrity of the WDACConfig module files is using the Assert-WDACConfigIntegrity which uses the strongest available hashing algorithms (SHA3 and SHA2).All of the PowerShell native global variables have been switched to C# constants, this offers greater protection against tampering since reflection can no longer be used to overwrite them. To compromise C# constants you would need to directly modify their in-memory values which imposes more cost from an attacker's point of view. Read more about this method here