WDAC policy ?

[Harvester57]

Hi,

I see that you already have a Sysmon and a Sigma detection files available, I was wondering if you planned to provide a WDAC blocklist, much like the Microsoft recommended WDAC blocklist (cf. https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules) ? Or maybe the overlap is already too great to bother with it ?

Thanks ! :)

[MHaggis]

Hi @Harvester57 , this is definitely something we are looking into. I'm going to keep this open until we come back around to it. We recently added authentihash for most every driver and also produced a new hash list - https://github.com/magicsword-io/LOLDrivers/blob/main/detections/hashes/authentihash_samples.sha256

[wdormann]

I actually was just pondering this capability myself, before having found this ticket.
If PowerShell's New-CIPolicy tool allows for creation of a policy based on authentihashes only, then that'd make this trivial. But based on a quick skim, it seems like you have to have the actual files to create a policy?

[HotCakeX]

I actually was just pondering this capability myself, before having found this ticket. If PowerShell's New-CIPolicy tool allows for creation of a policy based on authentihashes only, then that'd make this trivial. But based on a quick skim, it seems like you have to have the actual files to create a policy?

Technically you can create the policy XML file yourself too by putting the hashes in the right places, you can automate it via PowerShell and use the C:\Windows\schemas\CodeIntegrity\cipolicy.xsd to learn the syntaxes.

Other than that, you need to have the files in a folder to scan them.

[HotCakeX]

WDAC Policy (All drivers minus straight up malware that Microsoft Defender detected and removed)

More info: https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-DenyWDACConfig

https://twitter.com/SpyNetGirl/status/1659323804546375681

Download 👇👇

{8e2e33ac-be42-4fc5-a42a-8c38a722bc01}.zip

[Harvester57]

Here is a quick'n dirty GitHub Actions file to generate a denylist from the drivers/ folder, merge it with the AllowAll WDAC policy, and upload it as an artifact:

https://github.com/Harvester57/LOLDrivers/blob/main/.github/workflows/generate-wdac.yml

[josehelps]

@Harvester57 Thank you so much for the share, created PR to add this to the main repo! #133

[Harvester57]

My pleasure !

But you should be aware beforehand that the current policy generated is too big to be converted to a binary file for now, a ticket has been opened internally at Microsoft by Jordan Geurten (cf. MicrosoftDocs/WDAC-Toolkit#269). In the meantime, I don't know if it is a good policy to enable the WDAc generation if it results in a non-exploitable policy in the end, but I'll let you be the judge of that :)

[josehelps]

Hey Mike figured out how to run a custom runner on win11 that I believed generated well-working policies, added them to the repo PR #133. We now have WDAC policies 🎉 thanks to you all!