Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
67 lines (67 sloc) 3.76 KB
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>1.4.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<!--Ignore the following rules. This CI policy should only be consumed with Get-CIPolicy.-->
<!--See http://www.exploit-monday.com/2016/09/using-device-guard-to-mitigate-against.html for more info.-->
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
</Rules>
<EKUs />
<FileRules>
<!--One of the best bypasses to date from Casey Smith (@subTee) (http://subt0x10.blogspot.com/2017/04/bypassing-application-whitelisting.html)-->
<Deny ID="ID_DENY_MSBUILD" FriendlyName="MSBuild.exe" FileName="MSBuild.exe" MinimumFileVersion="65535.65535.65535.65535" />
<!--(https://web.archive.org/web/20161008143428/http://subt0x10.blogspot.com/2016/09/application-whitelisting-bypass-csiexe.html) via Casey Smith (@subTee)-->
<Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.exe" MinimumFileVersion="65535.65535.65535.65535" />
<!--(https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/) via Matt Nelson (@enigma0x3)-->
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.exe" MinimumFileVersion="65535.65535.65535.65535" />
<!--(https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/) via Matt Nelson (@enigma0x3)-->
<Deny ID="ID_DENY_RCSI" FriendlyName="rcsi.exe" FileName="rcsi.exe" MinimumFileVersion="65535.65535.65535.65535" />
<!--Signed debuggers via Matt Graeber (@mattifestation). (http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html)-->
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_CDB" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<!--Another signed debugger. Credit to Matt Nelson (@enigma0x3) for suggesting this.-->
<Deny ID="ID_DENY_NTSD" FriendlyName="ntsd.exe" FileName="ntsd.exe" MinimumFileVersion="65535.65535.65535.65535" />
<!--Versions of BGInfo prior to 4.22.0.0 were vulnerable to an app-whitelisting bypass (https://msitpros.com/?p=3831). Thanks Oddvar Moe (@Oddvarmoe)!-->
<Deny ID="ID_DENY_BGINFO" FriendlyName="Bginfo.exe" FileName="Bginfo.exe" MinimumFileVersion="4.21.0.0" />
</FileRules>
<Signers />
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Kernel-mode deny rules">
<ProductSigners />
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User-mode deny rules">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_MSBUILD" />
<FileRuleRef RuleID="ID_DENY_CSI" />
<FileRuleRef RuleID="ID_DENY_DNX" />
<FileRuleRef RuleID="ID_DENY_RCSI" />
<FileRuleRef RuleID="ID_DENY_KD" />
<FileRuleRef RuleID="ID_DENY_WINDBG" />
<FileRuleRef RuleID="ID_DENY_CDB" />
<FileRuleRef RuleID="ID_DENY_NTSD" />
<FileRuleRef RuleID="ID_DENY_BGINFO" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners />
</SiPolicy>