-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WDAC policy ? #34
Comments
Hi @Harvester57 , this is definitely something we are looking into. I'm going to keep this open until we come back around to it. We recently added authentihash for most every driver and also produced a new hash list - https://github.com/magicsword-io/LOLDrivers/blob/main/detections/hashes/authentihash_samples.sha256 |
I actually was just pondering this capability myself, before having found this ticket. |
Technically you can create the policy XML file yourself too by putting the hashes in the right places, you can automate it via PowerShell and use the Other than that, you need to have the files in a folder to scan them. |
WDAC Policy (All drivers minus straight up malware that Microsoft Defender detected and removed)More info: https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-DenyWDACConfig https://twitter.com/SpyNetGirl/status/1659323804546375681 Download 👇👇 |
Here is a quick'n dirty GitHub Actions file to generate a denylist from the drivers/ folder, merge it with the AllowAll WDAC policy, and upload it as an artifact: https://github.com/Harvester57/LOLDrivers/blob/main/.github/workflows/generate-wdac.yml |
@Harvester57 Thank you so much for the share, created PR to add this to the main repo! #133 |
My pleasure ! But you should be aware beforehand that the current policy generated is too big to be converted to a binary file for now, a ticket has been opened internally at Microsoft by Jordan Geurten (cf. MicrosoftDocs/WDAC-Toolkit#269). In the meantime, I don't know if it is a good policy to enable the WDAc generation if it results in a non-exploitable policy in the end, but I'll let you be the judge of that :) |
Hey Mike figured out how to run a custom runner on win11 that I believed generated well-working policies, added them to the repo PR #133. We now have WDAC policies 🎉 thanks to you all! |
Hi,
I see that you already have a Sysmon and a Sigma detection files available, I was wondering if you planned to provide a WDAC blocklist, much like the Microsoft recommended WDAC blocklist (cf. https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules) ? Or maybe the overlap is already too great to bother with it ?
Thanks ! :)
The text was updated successfully, but these errors were encountered: