diff --git a/WDACConfig/Utilities/Hashes.csv b/WDACConfig/Utilities/Hashes.csv index 29a0ef783..6cafbf0e0 100644 --- a/WDACConfig/Utilities/Hashes.csv +++ b/WDACConfig/Utilities/Hashes.csv @@ -1,33 +1,38 @@ "RelativePath","FileName","FileHash" -"Preloader.ps1","Preloader.ps1","F1F40E2738FF0F1F0F93AAE43F54031AC26EF1A08B5FBC826411E94E7B9C92D2EBC814FE5717261B078BEF8097281C96871827B3AC4599B31ED0FBB0651B87B2" -"WDACConfig.psd1","WDACConfig.psd1","F3056970C5CD4BAD3A1DF089F43D0AEA4DC8C0DC5B5BE5A0CD1C2645CCA71E46BCA2FC6376A19A6D4E975B6C77506D293E32A136C18CBC6C34EA784E69DC5758" +"Preloader.ps1","Preloader.ps1","D5E35977A380E4BE020F350AED651746735B3B2F48DDD3E77D4E4C16E5DDE2AB56D879B61BE15009AAD2355F5A17C173D290286A200D880CBB6B82A6B593D98F" +"WDACConfig.psd1","WDACConfig.psd1","AA81D237642E04934294B38A3683F4123E19F3A553808D30E0873BAB33E4BB4C314586CB42C38C2ACEC695436EA2050EDF35CFC027CD82EC62E6A2A113C5EA28" "WDACConfig.psm1","WDACConfig.psm1","AEDE7DF34183CD06AD7F045841E70F5B10EC068A1CC8F7B6E647E6880A5C55BAD68ED318992DA0146EB2F58B8C19FFF92DA44AE470D25EAF4C19B19F6E504FEA" "Core\Assert-WDACConfigIntegrity.psm1","Assert-WDACConfigIntegrity.psm1","A7A3D806DC2637DA1DB24F1A4DE40CEC33AF16240C15FF82B105C805A5CD7EB94362E0D283826E49F24D9E7B1CB99A6986B98E771193E10622EDAE5837FBC807" -"Core\Build-WDACCertificate.psm1","Build-WDACCertificate.psm1","94C17957C5B59B0AA2978B066E085D988D436BF8258BB92AC35D0FFF5CA7F0E2F5D50C60FE53E438E4E87962D02C82DA8781CADB6419F8D6F423F7068E909E32" +"Core\Build-WDACCertificate.psm1","Build-WDACCertificate.psm1","62E0C97C69E098F801318F23A057F58C9006AB62071B4A3FA0146122975C7C71AB798E43B93FC2DB570AFA3CF530C7C46D4D9A09493FC9EDD9A6C43586ABE145" "Core\Confirm-WDACConfig.psm1","Confirm-WDACConfig.psm1","F05B9C7CD1BCB4BFF4C447013326EE41CF6C6D52C48AC0A057EE6862E7E4F3748A9948E991B765454F9367695E2752BDE3000211642D7537EC603D1AF7D25487" -"Core\Deploy-SignedWDACConfig.psm1","Deploy-SignedWDACConfig.psm1","0CD85ECE98C13599C1163F66B97AB3501C41127E4DDC8153EE0D3ABCB303E81BB30EC7DABED52C3E3460BDEFDAA54B490B8C1A8AB8CBF2352AF647337F557A95" -"Core\Edit-SignedWDACConfig.psm1","Edit-SignedWDACConfig.psm1","CC0F59F5EFC695C4680493F08E03CC6D8C80C915671C5B4A63C890415494144B332DAE52AB743BCF567709C37B39F91B3EC8D0A2821ADCA93C81A30F74414DA6" +"Core\Deploy-SignedWDACConfig.psm1","Deploy-SignedWDACConfig.psm1","6E300258BAEDA5787441A11AF492C4D814611789974B1D59BC0C4BCC98724DCE66C6334ED541AD5DE52C497A9BC586C66F02CC87231B8D5F14603F8632711C94" +"Core\Edit-SignedWDACConfig.psm1","Edit-SignedWDACConfig.psm1","D9B79D3D4D7F9B5D5C0608F95FA74827BC1F8CF30F78FA5A4054B4B17FCC83F6EAA87C391857419DFC8D8A26650113D4560FE0C51E5BAB0561744AEB926E191D" "Core\Edit-WDACConfig.psm1","Edit-WDACConfig.psm1","486F2426F5CD714B0717B256B335A5D98D414761846A08A54CD509406E0B291EB55BF7EE7704A5797C3E90DBCAFD804ED52D89EFF6CED9A175717BDC7A3B384A" -"Core\Get-CommonWDACConfig.psm1","Get-CommonWDACConfig.psm1","EAE580A6DB1F1C9A3A61934EF545D5E14F570A7A3D8365E01C4C35D7E9DA77530EED319623E40DC3A1BC648A76CF2B715091B0644306CC3B1C5F7EF1E262FB57" +"Core\Get-CommonWDACConfig.psm1","Get-CommonWDACConfig.psm1","136D9707E4EDE54C26A3C15A378B4A6F38B12F466D934B6A48AB876CC9EF9A2DE9728ADC16B64103D5DBAD0D421E5B59F036D74953B7A5C5693B20DC043F8F15" "Core\Invoke-WDACSimulation.psm1","Invoke-WDACSimulation.psm1","694D9BD5B7288F9A36287EAD454A7B28698CCD92BF83C36DE08FED77EA0AF49E47189A182C83E83A8519BA893BF65B2673CD24D066C9DD6AEDF68084023346BE" "Core\New-DenyWDACConfig.psm1","New-DenyWDACConfig.psm1","B1954DD6D0C20C73624C4040C222A6EBA03B141D80391788A39E9995D8D3729BB0A76A4FE571AC8EEAFAFCBB679743C08B58947B13AB3E57B884861BDB9170A2" -"Core\New-KernelModeWDACConfig.psm1","New-KernelModeWDACConfig.psm1","B9553F48A29FA2847C50BC7AB2244FC06B9731DE645ABA1D0BF1E198D565D7A3FF7893C38415D43C38D83A78AC5B0800192581605D8F22BF5315F7612F06C2BD" +"Core\New-KernelModeWDACConfig.psm1","New-KernelModeWDACConfig.psm1","F5311B8EB87A02CD1BB33B497A7EF6A2A39EB2A0FB1DE5CD6D8B53B60E574D5895681D99004301B7C7B3EEF39D863BB1BA8B408E2890A1F18C3A760475EA92B3" "Core\New-SupplementalWDACConfig.psm1","New-SupplementalWDACConfig.psm1","E6F44921A45D36EA3D6238368E623505EDD97F8040AF4A654C3A0FDAD9D29A4839DF4340B3A33AE896305DD6FBD01D68FCB740356AA33917652A8AF742098E49" "Core\New-WDACConfig.psm1","New-WDACConfig.psm1","6ACC7BA93FD208862A99F2FF085528EAF45DF1F29DC6C5246F399857016B0D834D4D67F715DBBB47FED6F59DBC4D217161D0088099D9738670B8F539720B1A04" -"Core\Remove-CommonWDACConfig.psm1","Remove-CommonWDACConfig.psm1","9030EC9E484712DE3AC85B8B17F3BFE04B652784F8370F6A5DA302C32DC24E8A95C542ACA006324BD2196C4C9D7AA9CDD12BFD7378B1C4988052EC396D491E0E" -"Core\Remove-WDACConfig.psm1","Remove-WDACConfig.psm1","894176AD4C01B2A6AC560DF86DE0595AE6B9B825071792DFDF011F48FF922D5B868C9DD35E3FAC915563FEC040C207B62D570EEAADD0ECA67B33584086EE7E18" -"Core\Set-CommonWDACConfig.psm1","Set-CommonWDACConfig.psm1","DE8D29FB24A003D94970E5C930477DC0F781CC7A22B88AD7065726391FAB4B6966108BC05BAAEB2757786A65E75E18A4A971E3B1F3AB0464E81FF17967D04378" -"CoreExt\PSDefaultParameterValues.ps1","PSDefaultParameterValues.ps1","73431C5710BE03621DAF4C9D563CC770C5AF4927DA534F49B5E3DAE79E2A834EBE910188E1BDF4FE5AA8DCBD3244C10889B922CE271CC0D2ED55723B3C476876" +"Core\Remove-CommonWDACConfig.psm1","Remove-CommonWDACConfig.psm1","CB90185EF0E5AF054F7D00E80A331A641381896413FFD83F9CF9600CB3307A0D8F41705583149D5CA754DF1B35FE245C2B3C76826C50E903AC6BAAD98A7C9FB5" +"Core\Remove-WDACConfig.psm1","Remove-WDACConfig.psm1","5661413F6C806BAE9DE8CE9950C0BAEA50D51414EEEBE80A6907F6D12F8CF31678D8F8CED51A87499BCC2F866DC2FFBE935A05837D6796420A4BDA0050DEFBCA" +"Core\Set-CommonWDACConfig.psm1","Set-CommonWDACConfig.psm1","62B5E45C58685785EF11F1B281199039FCC32FD3DAC83F20956E8F75499BA5CE92B5DB8731F2DE9CFAF767851C68DDB86ECA6F64F9D6D21CC4B05818EFD2ACE5" +"CoreExt\PSDefaultParameterValues.ps1","PSDefaultParameterValues.ps1","6E763217D62F8A02F0B012CEB5BCF71D721573DDA5850F2FC4FFC00D85A0E3A268EFB563EAB4166D2E5B7A5A359D141F2AF5FF7BAA9695AAC13BCF6E5E0A16A3" "Resources\ArgumentCompleters.ps1","ArgumentCompleters.ps1","0471552A03BCF16D55C754C8B2C54B5809A211CFB33E00A53B0C3722F65C6E30BA49C371813343839A7AB86B4D2AEE4136521FE31FA5303548132878FC4A1173" "Resources\Resources2.ps1","Resources2.ps1","404722F31CE73E6C89C623917B8A05AE806E34016EDC2105BD0D2659A8273CE9620282A1C38F0808F2CEC1BA71620F9609DD20F1A91A00217344A6EA687EB35E" -"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel_NoFlights.xml","DefaultWindows_Enforced_Kernel_NoFlights.xml","D02BCCFA3C35E179A634AFCDE04259C43F8FBD619A4D0D2F7BAC1A8A9FBC58D3EBC7EE89B1B2EC6B3C17BD6EC38ADB501B271AEA3037B980D10EAB9AFA3B8308" -"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel.xml","DefaultWindows_Enforced_Kernel.xml","BDC7B623386570F383B4A113BF06C7FF6A5A4271AFE572B5D68EEBC161CD650B62E70636527DFBEF09A8F95E66899CEEC424AA22CD00BBEF6D7888759D812F8D" +"Resources\User Configurations\Schema.json","Schema.json","9A20EF0148D298178B35C1AAB961C46AF62BBCC0BB0DCCBE63F2FE08E0A764406267449CDD686A01F85650622DA6E690D12FBB88BB3A7E070BA58C1AF8FBC813" +"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel_NoFlights.xml","DefaultWindows_Enforced_Kernel_NoFlights.xml","7E4BC35A3F0840C8F3921FB260CE84660DC3CAACB7850A1AEF13AFC48B0E069D27562C5632444926BF60B44A0E0FF522D0215F1F7DD5E1A7E51A45E86AB7F44C" +"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel.xml","DefaultWindows_Enforced_Kernel.xml","846663A7B0CAD90A2305F3C3322D6C2CFA6277B7E4B083CB478FF409DB29A7D0D71318845B884518B8D2F87B66A5EA327D4EB2D39A9707D1EE41B0237812FFD6" +"Resources\WDAC Policies-Archived\DefaultWindows_Enforced_Kernel_NoFlights.xml","DefaultWindows_Enforced_Kernel_NoFlights.xml","D02BCCFA3C35E179A634AFCDE04259C43F8FBD619A4D0D2F7BAC1A8A9FBC58D3EBC7EE89B1B2EC6B3C17BD6EC38ADB501B271AEA3037B980D10EAB9AFA3B8308" +"Resources\WDAC Policies-Archived\DefaultWindows_Enforced_Kernel.xml","DefaultWindows_Enforced_Kernel.xml","BDC7B623386570F383B4A113BF06C7FF6A5A4271AFE572B5D68EEBC161CD650B62E70636527DFBEF09A8F95E66899CEEC424AA22CD00BBEF6D7888759D812F8D" +"Resources\WDAC Policies-Archived\Readme.md","Readme.md","E85639EA8A88E40100AC46DFF72493E1D7A4FC600562C773A04BEF1EBCAA165AD2023E3808B3A5837186DC40C97AC2CB7FA5B2166A3957644ACAC91C9819ACC8" "Shared\Compare-SecureString.psm1","Compare-SecureString.psm1","3E6056CE0145967126305BFDAE43221718BFF53A35DAF51546F4030D93D632E438D1B25EF79A76E06A3290FE4444926554439EF73BEABEC4908D7DFA6CF98D2F" -"Shared\Confirm-CertCN.psm1","Confirm-CertCN.psm1","A17FC6FF9E0AA3B6857500B21F7A2A7005052BDB917C260DE1415232A3B659B973D44C98AAFA982AA7989C9FCAC10311B3EA25F0F285636D6B0813E70D2B2935" +"Shared\Confirm-CertCN.psm1","Confirm-CertCN.psm1","D1B8D1D32D4BBB2237046274EDBD5F6BCE441974E1CFFA0BCC661A4E07DD9C5EAB76F827FFC4F1A5A365A7A23BF464C42C33D9C58E813E23CD5729614AB35C1C" "Shared\Get-AuditEventLogsProcessing.psm1","Get-AuditEventLogsProcessing.psm1","150ED44874AB49D3B80BBD9B65374D82E47EE5A6CFB02A5CFF0DC112D393B49F635B9859B63A83A1E035877A356EE63582E526CF14A39343AB15821DBD9E1C3E" "Shared\Get-BlockRulesMeta.psm1","Get-BlockRulesMeta.psm1","7A13D5608848E82D77EC587BEB4781FCD116858CDEBBA3052F4137E4A6080EB1572EFA5BB7EB184C9D69E2873588D593F8B3AAB6FD874B3E112E6266D42DC399" "Shared\Get-FileRules.psm1","Get-FileRules.psm1","C8A2E0F9F1376D46FA3ADD925F73978C7CC17B4F1EC72C95278CF771F927A24396538BF682F1D6793F214337DD1AEB211F0D20FDFDA63668407EAA88205BC911" "Shared\Get-GlobalRootDrives.psm1","Get-GlobalRootDrives.psm1","775B9B52B5AE867467F267618580CAA2BBDD2BB123F0C0A35B9D1DA43C10EFC5FE34142F305DD2B547D9A57F05DAFDA3D590A0AFE5A48EE7B8FEE88175888AED" +"Shared\Get-KernelModeDriversAudit.psm1","Get-KernelModeDriversAudit.psm1","259F643499977DE20F255387016EFC6A2D1A737B35C83B7AE34DC820B409ABE023A92436E9F0B7925EB75504ED1462D9E31EBC30A4FD02EE8DEF699AC0A45EF5" "Shared\Get-RuleRefs.psm1","Get-RuleRefs.psm1","7F9D20DB666FA2A476D8A0E2DA480C1DC4B4911C392010981F2DFA2829D354CF034D0803D0FB23708A069F51BE58A6AE01D0FBAD883424DBD1D84E9921D3B289" "Shared\Get-SignTool.psm1","Get-SignTool.psm1","0C527834AF2486F3E1411F8F03941ECD2B8B5F7E41C19E7CCA19AB63E1251725AEACECC1C7B83EA1A590190E91BC58CACF3D2593351B16AE781C32AAABF70588" "Shared\Move-UserModeToKernelMode.psm1","Move-UserModeToKernelMode.psm1","437A5A968ACE58EDA26151F09F41EEF599541EF077BA6A5822D293DF75423F0377C977BDAE809480BF6EF01924582FB599FE86AE6E73B981E70C2EB7B46C5888" diff --git a/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 b/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 index fe6a240c4..d81ff3744 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 @@ -248,7 +248,7 @@ ValidityPeriod = Years Get the value of the Application Policies extension - ($NewCertificate.Extensions | Where-Object { $_.oid.FriendlyName -eq 'Application Policies' }).Format($false) + ($NewCertificate.Extensions | Where-Object -FilterScript { $_.oid.FriendlyName -eq 'Application Policies' }).Format($false) Use certutil -dump -v '.\codesign.cer' to view the certificate properties, such as encoding of the certificate fields like the subject @@ -287,8 +287,8 @@ ValidityPeriod = Years # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD0Pmkq2Dq/eTYD -# mUBJIrmyEJrkfd8ABk8OVSleUNsFkaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAefmwKXp6aQDQ5 +# GyFzyXuqW+XjwXh/WyLmKL17F3+8XaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -335,16 +335,16 @@ ValidityPeriod = Years # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgyfG38dOJWH9RmcRqEoNo3WCjFPdQpeWfatq776M1gyAwDQYJKoZIhvcNAQEB -# BQAEggIASG9efEq01lcnAWImVCRosVR/5LPE1rDPd+3fszzL8pD+7bBRQZi+T57u -# UquSpx0XtyOd1jhyKErnTvWVyrSIPbyVmqBSjLIVZdCPsDpbuGiQnW4TCfcv9YsB -# vminrSw2dFTQm8Lyo9VOhstZc9e5Pqa4ajViLUrrX/UMf13hJzDigvse28/VWA6O -# euKGkz+Q9MX+b+S7R/QDrINDzE5D4kVFUA0mxLunb3ATGvpBMDpFE0hGkvNiFm8E -# qAA0MuvdbULJpY8CuvmD/Jj7zfciPSNMlXbhNoQQ7ROrRIG1kD35/bw6ZBFpukrC -# +n+dH/tW61ljk8aWYKdMsVzohlocq+kNvQBBvs5AVmXha1Z6dj3fQJnY2NdE8s0l -# 1rGu7lfQFReqyd5ywwMe2xSjiaZ4/C//XHEF+yjhQxvaOcUXgcQKvV2xXN+hyIOZ -# +BPgnn2bubfhW2RlnmmD+8HCTUAflmt5YbEERchgMZY0DE2blzW5y8V3eYTNzG8P -# qQfwHkGmBCqY4eDsNALlIcCwIJieNXoeqIVFlU461wrqUSz2/vKd59seXF+ANVgi -# 03WZoHXvyQYVG88+l9FTjuDEvoxs49NkjjzKrqyv1fcES7Cs/23kOhPfzy/hZZPD -# i5oc6guG8v99WHRHbYdMc+i3v+sjCH5EJTpoGmk2Gb6FcuPV7U8= +# IgQg1QqulqQXJmWru2WYLdhSLnMsmo+z8jsS9JS+BSTkpCUwDQYJKoZIhvcNAQEB +# BQAEggIACx8pJxohFRFy51ygAYNCOqVihr4lO914ahXPAJFPBr10PaqXgEDyK4E2 +# KqFgcmtLEf2q7Mn02Hr8lP6azt49Lt1w4zbYvXW+HUeBKJKa6p8M+EhUH/+EGvlE +# 4xUKr7oIjNa3KLsM1bAIsLLjYPErMWP6XDrzu8/9K+JviDUuvzboL4+y2tmAEpFH +# G5yo5L5rAVruzTZsxWse7eQXpFgLDTpaGoBc+gtc9g+nBt3xNdijA76pvshCtv7q +# wLTpQohxxLG19tQqOqNJbHtaE98sDE9xIbJGV1rDN3ETdyhIVqrmizurWUUIA/1N +# HBWcVWt5YOpwsBvV9CEnvkpogBVmp6sbRO4ETNv1AyIGYF/neYX4U6tLgYr6tF5Q +# we9fVXf565c1uve839c9gZgUvGEHy/a4Fv7vLf+nfGMsctTDUQjaluVxUdo4WxRk +# S9rDeWZZt2MYvpor6mBAN9sGEnCtComlCN1nUQXMraMlOwO3ENCy7qNXivBCtzMd +# Y+lKPFU1GpUFbfrItztenBm9pexqZimAW+HXCvZSKJUMa8E4bqj4yWiBi2HJFeOE +# ovM5ran4X0RPrjnm9/A3FYy3vXbQKC43bGUZGM39Myjv63tA6/lxHXZOTLbyeuhN +# oiMSrXYCfxZ6IDJRnH56cztOX2Rbo7/IV5k3i0Wl/ZEQhg12IQQ= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 index 12f1ae2bc..9e57e00f8 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 @@ -45,7 +45,7 @@ Function Deploy-SignedWDACConfig { } # Count the number of duplicate CNs in the output array - [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object { $_ -eq $InputCN }).Count + [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object -FilterScript { $_ -eq $InputCN }).Count # If the certificate with the provided common name exists in the personal store of the user certificates if ($Output -contains $_) { @@ -325,8 +325,8 @@ Register-ArgumentCompleter -CommandName 'Deploy-SignedWDACConfig' -ParameterName # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD9zseRSedgvEH/ -# UmdR8mMCozbNr5swsYhfIbgKI2SACKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAnRwDvigOya6Sj +# l2hIoqVyfOcnyR6nt70Hk73zv/QukKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -373,16 +373,16 @@ Register-ArgumentCompleter -CommandName 'Deploy-SignedWDACConfig' -ParameterName # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQg5WiETJONw1G0NqOHUdYMKymFHXSous2MRSuw7UicVzMwDQYJKoZIhvcNAQEB -# BQAEggIAVm5+YhMxTotLMOqvHaMODj0JyAm418qIJIwMO0NaplA6JFTuVM4qwGM5 -# vLAMy8ojlEQZnnOo5ieGaCHi3N8+lbL/opd159/+lOHDq57uVrJoxUT3VkuEXYKB -# cvzx+qTe9UQnh3C8VQ9TiLAcD3nictP79NPR3B0Dhsb7a8PeKJ4NRWfb+aPbucAa -# NPzsaF6rXUOyIsWMoeOIt0AGg3FXuwslQhnBLTf5TnD//INC5WB2fHY93I2EO7ME -# 664G9ygjY/2MuPVFW5wYe05vgqBXKkyB7dV4LzkA/U0avyEOlIuMMqqWOUKZ3yLU -# kZZ00Op6UkXW1EO4GKiMjOk7FyuD1/48/fPxozfrXb6nZrJ4fVLqQh+GeaK351jl -# 0psap4rV/xo5imGA+o5RWP96ykDkoZoMA4QYw1yoChG1qbiz7mwbY6pyG4Lkuw99 -# gasRVqFAazrE70N1IaPfKftkvtMeOR+WUrAEBdI5VuKR6scEPRZM/3mc1dhqE88i -# 6lp1Zi+TJrVPAbPihGXwMiIvcXSH9QoF2qJ5acFIIzsqLSRn9HyoYhYiP4gTn8Jm -# qZUyEdV3e6mH1A3rBqNxlFdXkmCGDJkmFoLl9pGAatvIIYtacOCdnBRg3E2t5VlK -# /mlgVwDOmnno7gZ90CPZjmVvTeOrayUfpqO3FKRWVvaqZ6HWlc4= +# IgQgFZecwVpcHmdKO1YFkbSeCvzEm9Mb7EB+M27hBmiHkuIwDQYJKoZIhvcNAQEB +# BQAEggIAc3Hmq3D+n+5akVGKDhi0Rnn0emGfUhUw/yDDiGUN/ndan4AsNnWe1QPT +# w4dkRZXgV6/bfp5ak4wr3JcixOM0oxQFutFKvYGIdP4Kv4zoDUnqN+dSm1wf6XG+ +# OvNzEtvgULzkJvfmtWS3sS5Rz9tevMw/t+oCROOUMA6xAcVSiVbPiVA27INWR5jC +# bl2LXbwWX0tbbMIfjPEOcjq8CgpqW0K65dIYE9cNhUCjy0mZRb12Fp7krtvJejgy +# TegxreANnHPJNjyxivdw56lGrk6rL/qLgtE/dK4sH+SAXHAZmCYdlm1k0TPfJ4Dt +# 3JM5zkvVWFcs9rmO7yCyBg+s6qmZmd2Qtio8lzxjefe/a+mIzT08k0vzVOZ0kN9y +# s1VslYBOQmFnTjc3hLc4mU4zfcvrCrOM+BLx64twanadX9f4WCW4cL+cFlRbwJ8j +# LvL8O43QZYQj2svboUZiG5QQ5cu28x17+K9CCpqw+UaiI7n/78xvUzu5gP1bct1k +# UI81Dcf+IdUu4l++jEyB9BYIu39+kgtOJP6y/DdVGYyd02kOzU2wnOOzhcxGUj/O +# O6i5bkW6hTKlZSBsC9PCGItUmcsXM7Bzlyjrlcrth1fRGvmoXGXfaAgwa3Oqd+S3 +# xZBtIwGbi22EbbearPIUyovC+ryaqtTy0iHmWtuUqfJHF9wGXD0= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 index 6a2218629..ce83ff849 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 @@ -97,7 +97,7 @@ Function Edit-SignedWDACConfig { } # Count the number of duplicate CNs in the output array - [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object { $_ -eq $InputCN }).Count + [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object -FilterScript { $_ -eq $InputCN }).Count # If the certificate with the provided common name exists in the personal store of the user certificates if ($Output -contains $_) { @@ -1415,8 +1415,8 @@ Register-ArgumentCompleter -CommandName 'Edit-SignedWDACConfig' -ParameterName ' # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBsX+jTe9aAPugV -# jQ6GYpMvRzxNBuhyHKpy2hxNgtCzbKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCNeRmZQKTwdUTA +# HvqKj9CxQKzjxQHJh2HG1KWrDx5zLKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -1463,16 +1463,16 @@ Register-ArgumentCompleter -CommandName 'Edit-SignedWDACConfig' -ParameterName ' # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgKSjD2MW2Gb5VusOhuhtXcMx5q1Jfedkgq0K6OO4mH4EwDQYJKoZIhvcNAQEB -# BQAEggIAnVNbQnr0v4dETHPzy5V27hR0HrrzHdQEbijkwwad8kZ+Tv9Z0+fUZH4l -# pLdNo+Fg6h/DgCk2BMhEz84OECX7sa89glm3nIpZRSP55iK4M1unb3OR9/BUhgzT -# nYMENSDAylMF5tc+nQ8F/syPCvcF80rvXm80SYf+WCvVo2QlDFUxqWI/wFngEoZ8 -# 76i1PhtJrs6j5YTeZ+9D9SlVCvCWDCxqeiKogbKXneEsv9x2l0LJMDa4PffoPHE+ -# zH2umg2LQFdzD7w08VWSRvmWJaK+nG6HNxTfAkn5rE6zP5au46756u2IDNmPT/bW -# jmoxpnF9diaecWJrc+83XWS3CizA4dZDosIb+L6u3k/SXBEIZwiPXdhIAyw3iG1l -# HvSaIzafred6wyB+UeMELWk4N5QryN29Cu/LEzE0/LMzr5kI3IQFwjlO1T+Pdpxi -# MY5yhyS3BNjkGV14og98gxIU8UC0L28H9WV63doWpEjMqakaxyMUbapNM1upaC10 -# fC6PiyHWPn+v1r4dIzhqJLx6dDFZg2pWaGtFuFfLSZP9rrbtTWivNwAzn5c2AJfM -# zTAg3XIfdYIn1NnDonV6sXjmijXhHf5Y6ONy24Aldo503/56RB6X7EBmPp9dydlJ -# zTgrHgpuk0mc73TUreobqL/3s9XUWEvh00AwOgc4g/MYDO+qxc4= +# IgQgI90KwbePyo0nx7GnFzFujax0MrUWhbn3N7dTT8zJJfUwDQYJKoZIhvcNAQEB +# BQAEggIAXMq/ceUUilX7w4E1YVjtVfMtCYcqER6N8rQkwKjaUAM+frW1v4xOqKfq +# lrZrn0yjtRZCq5gsVPL9fLBAa4dzCSkfPG95X1zNQhoyAL7D9qfPlNI7QgebAZJH +# i4e6Dc+O4/a92ASefmDOA++8n8LzPEdXiM/GMtpdIvTQNdodcOPLhXci5ebfk2C1 +# gilz3pDPeMZkC8hO6Nr85T/7I/BXDN2eYfvd8jeos+wta/XLbmmeWGtv7CugV/2u +# d5KzhHbgCs6yzVuvLonHd8AO3gZ4RHn70sPSp3FpEVPMESR7aJbxjnMrNrn6JraL +# +uGHXEbkiHlmqH/c6mgBetWjxdCCQY2mXzmrP6xA0WI4ZL5OZA+bNFp068giqouj +# f5XIqpqa5BdHZEcdM8kfiFOcF2i3MmLwdXZMPBdO8/Kldhk9hwVyN1rI52JFgjEg +# kgylNJKuEvph9OopOGg32rfq1BmfbNwRhYuyKw/eyMFw+HkDeIs3ODcHLZ8GNcG/ +# vMd/bRUZgDMrMwtO3blgMkZCyEb93fAcNREORgwBMw1BkbNHTn+LkvokBOVt37LU +# pTxBKYO67uiL733sYGq8Ih9lU7ZCojoexhaQ9vgD1XlQ0uY+A+QpZ/GjuwrsjK6r +# s97i8tUqeN3+ZE8m2D/6aOJdGzAwoIBUfpXRBx9jz/C4jmp3Z5k= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 index b286d281d..2982e4018 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 @@ -9,43 +9,48 @@ Function Get-CommonWDACConfig { [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$StrictKernelPolicyGUID, [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$StrictKernelNoFlightRootsPolicyGUID, [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$Open, - [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$LastUpdateCheck + [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$LastUpdateCheck, + [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$StrictKernelModePolicyTimeOfDeployment ) begin { # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" - # Importing the required sub-modules - Write-Verbose -Message 'Importing the required sub-modules' - Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Write-ColorfulText.psm1" -Force + + # Assigning the path to the UserConfigurations.json file + [System.IO.FileInfo]$Path = "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" # Create User configuration folder if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\")) { - New-Item -ItemType Directory -Path "$UserAccountDirectoryPath\.WDACConfig\" -Force | Out-Null + if (-NOT (Test-Path -Path (Split-Path -Path $Path -Parent))) { + New-Item -ItemType Directory -Path (Split-Path -Path $Path -Parent) -Force | Out-Null Write-Verbose -Message 'The .WDACConfig folder in the current user folder has been created because it did not exist.' } # Create User configuration file if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json")) { - New-Item -ItemType File -Path "$UserAccountDirectoryPath\.WDACConfig\" -Name 'UserConfigurations.json' -Force | Out-Null - Write-Verbose -Message 'The UserConfigurations.json file in \.WDACConfig\ folder has been created because it did not exist.' + if (-NOT (Test-Path -Path $Path)) { + New-Item -ItemType File -Path (Split-Path -Path $Path -Parent) -Name (Split-Path -Path $Path -Leaf) -Force | Out-Null + Write-Verbose -Message 'The UserConfigurations.json file has been created because it did not exist.' } if ($Open) { - . "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" - break + . $Path + + # set a boolean value that returns from the Process and End blocks as well + [System.Boolean]$ReturnAndDone = $true + # return/exit from the begin block + Return } # Display this message if User Configuration file is empty or only has spaces/new lines - if ([System.String]::IsNullOrWhiteSpace((Get-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json"))) { + if ([System.String]::IsNullOrWhiteSpace((Get-Content -Path $Path))) { Write-Verbose -Message 'Your current WDAC User Configurations is empty.' - # set a boolean value that returns from the Process and End blocks as well + [System.Boolean]$ReturnAndDone = $true # return/exit from the begin block Return } Write-Verbose -Message 'Reading the current user configurations' - [System.Object[]]$CurrentUserConfigurations = Get-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" + [System.Object[]]$CurrentUserConfigurations = Get-Content -Path $Path -Force # If the file exists but is corrupted and has bad values, rewrite it try { @@ -53,7 +58,8 @@ Function Get-CommonWDACConfig { } catch { Write-Warning -Message 'The UserConfigurations.json was corrupted, clearing it.' - Set-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" -Value '' + Set-Content -Path $Path -Value '' + [System.Boolean]$ReturnAndDone = $true # return/exit from the begin block Return @@ -84,10 +90,10 @@ Function Get-CommonWDACConfig { $StrictKernelNoFlightRootsPolicyGUID.IsPresent { return ($CurrentUserConfigurations.StrictKernelNoFlightRootsPolicyGUID ?? $null) } $CertPath.IsPresent { return ($CurrentUserConfigurations.CertificatePath ?? $null) } $LastUpdateCheck.IsPresent { return ($CurrentUserConfigurations.LastUpdateCheck ?? $null) } + $StrictKernelModePolicyTimeOfDeployment.IsPresent { return ($CurrentUserConfigurations.StrictKernelModePolicyTimeOfDeployment ?? $null) } Default { # If no parameter is present - Write-ColorfulText -Color Pink -InputText 'Displaying the User Configurations that have values' - Write-Output -InputObject $CurrentUserConfigurations + Return $CurrentUserConfigurations } } } @@ -120,6 +126,8 @@ Function Get-CommonWDACConfig { Shows the GUID of the Strict Kernel no Flights root mode policy .PARAMETER LastUpdateCheck Shows the date of the last update check +.PARAMETER StrictKernelModePolicyTimeOfDeployment + Shows the date of the last Strict Kernel mode policy deployment .PARAMETER Verbose Shows verbose messages .INPUTS @@ -135,8 +143,8 @@ Function Get-CommonWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCwf2tydbFonUJA -# TX6XctLTkPUB92871x++AbBMLXzprKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBoVCz7I2ruYbwu +# q8diFmkQbaGDKCkez2teF5aEak0b1aCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -183,16 +191,16 @@ Function Get-CommonWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgwfpqrpvuYjerMY7ly1lc0evK86y333yWP91S9IsnT2EwDQYJKoZIhvcNAQEB -# BQAEggIAj9gCB8XhPJDoQlg8Ds1RGkuBGVh09AwmFgOaN51I/JF9pf+PN+EGZLLe -# 6c4j8VBomdksxD7LZ1vBn6QZgYQKJ+4dzmtPlEYepXa7204WQVi1qI7QhUcdcf2f -# 9X5FGlBG3xpAWkxpH9XeDh/8AL9hafX+/niVRqAJGJitLq7B2lI3UKHyxVSJilSW -# cHbXT/8dRe9evPRkvBluCk3tFIf90druUDqZObHygwrkWohElIe7eMR/rX8wi/UZ -# Kayzb0r72AWs1hy4WhfEY3u/fIXU8VqxVLt+WGMws+x4qH3ZJkC8pdfV8TPJPi4m -# UjDGruR91Mc6N7PvWZqZRLefDXhBfwNyV76uAoaqUo73bc+4tOHJi86hwd9vxjpf -# SvV0KcCo6TStM7MybPXpMqm3keSgaIhxNm1oUasx7UgN/J9ROWdyDwSQ2mMwwc33 -# aadUe64SalGyz8e5ACBjo+JVErbZ5LjOFCTa69GkNGGZ2De0Bae8BLcSXjpCxQRt -# jOFryDXpGCS64WdBJ+UZGXeJCArat0/jczAWii5Myll6ss2XpcPyZFn+EdHjFEJp -# RSYKxxGfuyTm3w4jrAwUJFaEm0oy4MTLesy+FuE62fMi0vTXRMqCQaavF3fY4tAA -# TuLEX/llPXR71FlmOmQLMFcIxMKq+RGj+ufjSMyDrtELahcW/s0= +# IgQgK2B2kN3kvH9A3GrhFEBbkVX1Ee0InPzwka3+h2VPB0owDQYJKoZIhvcNAQEB +# BQAEggIAlNlbhlh4szyr8FeHXlyNaV+Y8d9xtNmxKZUpg1lDemcJDrQUEM4bDPYo +# tvanj8YO6NXazSGnSqdVWUF0T3Fd+Sr/SCcDXuyy5P3J4qaYg2A7qLdXzjUW7KWY +# cevrCpbqScFMi1uBZDwv9DbkH+lk9hiYJcGBDqw4HZXAGvGT4Hgz1jWyONPFJ0Y/ +# UYIGw9m4RH19cnCL8wMu32+K4r89EIlGeZ3m73WEw3JRpis+SQIcvivAepNFYvgi +# box/v2N4GvDcs/8FdFDdoxYQxnlzp6Xu/0oGgTwokxmPonAYE5DzEBy1U8ozeix4 +# LUy8fKWUqjZGDdr+BkFLymRLk+WDFwQ4aqvb8aHOC8n6PZW+jO1jz8jwxCJ190RQ +# fr0DsFlhU4mkzITaxld51yKxdTMYDl7p0ISeWF448yY3FqLlU3ndS9ExbpryOnwB +# r6QiaPO94Ch5idJSugnxJgzO+JXDCEuwY1i+8Bm3h5S9md0H0NZ30mId0SD/SPK3 +# tCIbFSCvqiRugW2pFpzs/HAYSWwlDVKFzXF6fZhgufPUWZ157xTgxUWqHIeYYRtv +# mGtFVis3jnCQHvlgxYr5DuSb82774zBaSIaKXWpoVFF5nRgafiEzFcgCVw2DJhFP +# WzDrsKY4qVdRNuR26BUGKAqW+mt4cRsBTwk0mYkCJ198mR6kzSE= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 index 8ace06cdb..5c0f8a045 100644 --- a/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 @@ -31,6 +31,9 @@ Function New-KernelModeWDACConfig { # Detecting if Verbose switch is used $PSBoundParameters.Verbose.IsPresent ? ([System.Boolean]$Verbose = $true) : ([System.Boolean]$Verbose = $false) | Out-Null + # Detecting if Debug switch is used, will do debugging actions based on that + $PSBoundParameters.Debug.IsPresent ? ([System.Boolean]$Debug = $true) : ([System.Boolean]$Debug = $false) | Out-Null + # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" @@ -39,9 +42,7 @@ Function New-KernelModeWDACConfig { Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Update-self.psm1" -Force Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Write-ColorfulText.psm1" -Force Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Move-UserModeToKernelMode.psm1" -Force - - # Detecting if Debug switch is used, will do debugging actions based on that - $PSBoundParameters.Debug.IsPresent ? ([System.Boolean]$Debug = $true) : ([System.Boolean]$Debug = $false) | Out-Null + Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Get-KernelModeDriversAudit.psm1" -Force # if -SkipVersionCheck wasn't passed, run the updater if (-NOT $SkipVersionCheck) { Update-self -InvocationStatement $MyInvocation.Statement } @@ -198,14 +199,13 @@ Function New-KernelModeWDACConfig { Write-Verbose -Message 'Setting the GUID of the Audit mode policy in the User Configuration file' Set-CommonWDACConfig -StrictKernelPolicyGUID $PolicyID | Out-Null + Write-Verbose -Message 'Setting the time of deployment for the audit mode policy in the User Configuration file' + Set-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment (Get-Date) | Out-Null + Write-Verbose -Message 'Deploying the Strict Kernel mode policy' &'C:\Windows\System32\CiTool.exe' --update-policy "$PolicyID.cip" -json | Out-Null Write-ColorfulText -Color HotPink -InputText 'Strict Kernel mode policy has been deployed in Audit mode, please restart your system.' - Write-Verbose -Message 'Clearing the Code Integrity operational event logs before system restart so that after reboot it will only have the correct and new logs that belong to the kernel mode drivers' - &'C:\Windows\System32\wevtutil.exe' cl 'Microsoft-Windows-CodeIntegrity/Operational' - &'C:\Windows\System32\wevtutil.exe' cl 'Microsoft-Windows-AppLocker/MSI and Script' - if (!$Debug) { Write-Verbose -Message 'Removing the DefaultWindows_Enforced_Kernel.xml and its CIP file after deployment since -Debug parameter was not used.' Remove-Item -Path '.\DefaultWindows_Enforced_Kernel.xml', ".\$PolicyID.cip" -Force -ErrorAction SilentlyContinue @@ -240,13 +240,16 @@ Function New-KernelModeWDACConfig { $CurrentStep++ Write-Progress -Id 26 -Activity 'Scanning the Event logs' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) + # Get the kernel mode drivers directory path containing symlinks + [System.IO.DirectoryInfo]$KernelModeDriversDirectory = Get-KernelModeDriversAudit + powershell.exe -Command { - Write-Verbose -Message 'Scanning the Event viewer logs for drivers' - $DriverFilesObj = Get-SystemDriver -Audit + Write-Verbose -Message 'Scanning the kernel-mode drivers detected in Event viewer logs' + $DriverFilesObj = Get-SystemDriver -ScanPath $args[0] Write-Verbose -Message 'Creating a policy xml file from the driver files' New-CIPolicy -MultiplePolicyFormat -Level FilePublisher -Fallback None -FilePath '.\DriverFilesScanPolicy.xml' -DriverFiles $DriverFilesObj - } + } -args $KernelModeDriversDirectory $CurrentStep++ Write-Progress -Id 26 -Activity 'Configuring the final policy' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) @@ -299,6 +302,9 @@ Function New-KernelModeWDACConfig { Write-Verbose -Message 'Removing the GUID of the StrictKernelPolicy from user configuration' Remove-CommonWDACConfig -StrictKernelPolicyGUID | Out-Null + + Write-Verbose -Message 'Removing the time of deployment of the StrictKernelPolicy from user configuration' + Remove-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment | Out-Null } else { # Remove the Audit mode policy from the system @@ -309,8 +315,9 @@ Function New-KernelModeWDACConfig { Write-ColorfulText -Color Pink -InputText 'Strict Kernel mode Enforced policy has been created in the current working directory.' } if (!$Debug) { - Write-Verbose -Message 'Removing the DriverFilesScanPolicy.xml and the CIP file because -Debug parameter was not used' + Write-Verbose -Message 'Removing the DriverFilesScanPolicy.xml, CIP file and KernelModeDriversDirectory in Temp folder because -Debug parameter was not used' Remove-Item -Path ".\$PolicyID.cip", '.\DriverFilesScanPolicy.xml' -Force -ErrorAction SilentlyContinue + Remove-Item -Path $KernelModeDriversDirectory -Recurse -Force } Write-Progress -Id 26 -Activity 'Complete.' -Completed } @@ -343,14 +350,13 @@ Function New-KernelModeWDACConfig { Write-Verbose -Message 'Setting the GUID of the Audit mode policy in the User Configuration file' Set-CommonWDACConfig -StrictKernelNoFlightRootsPolicyGUID $PolicyID | Out-Null + Write-Verbose -Message 'Setting the time of deployment for the audit mode policy in the User Configuration file' + Set-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment (Get-Date) | Out-Null + Write-Verbose -Message 'Deploying the Strict Kernel mode policy' &'C:\Windows\System32\CiTool.exe' --update-policy "$PolicyID.cip" -json | Out-Null Write-ColorfulText -Color HotPink -InputText 'Strict Kernel mode policy with no flighting root certs has been deployed in Audit mode, please restart your system.' - Write-Verbose -Message 'Clearing the Code Integrity operational event logs before system restart so that after reboot it will only have the correct and new logs that belong to the kernel mode drivers' - &'C:\Windows\System32\wevtutil.exe' cl 'Microsoft-Windows-CodeIntegrity/Operational' - &'C:\Windows\System32\wevtutil.exe' cl 'Microsoft-Windows-AppLocker/MSI and Script' - if (!$Debug) { Write-Verbose -Message 'Removing the DefaultWindows_Enforced_Kernel_NoFlights.xml and its CIP file after deployment since -Debug parameter was not used.' Remove-Item -Path '.\DefaultWindows_Enforced_Kernel_NoFlights.xml', ".\$PolicyID.cip" -Force -ErrorAction SilentlyContinue @@ -385,13 +391,16 @@ Function New-KernelModeWDACConfig { $CurrentStep++ Write-Progress -Id 28 -Activity 'Scanning the Event logs' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) + # Get the kernel mode drivers directory path containing symlinks + [System.IO.DirectoryInfo]$KernelModeDriversDirectory = Get-KernelModeDriversAudit + powershell.exe -Command { - Write-Verbose -Message 'Scanning the Event viewer logs for drivers' - $DriverFilesObj = Get-SystemDriver -Audit + Write-Verbose -Message 'Scanning the kernel-mode drivers detected in Event viewer logs' + $DriverFilesObj = Get-SystemDriver -ScanPath $args[0] Write-Verbose -Message 'Creating a policy xml file from the driver files' New-CIPolicy -MultiplePolicyFormat -Level FilePublisher -Fallback None -FilePath '.\DriverFilesScanPolicy.xml' -DriverFiles $DriverFilesObj - } + } -args $KernelModeDriversDirectory $CurrentStep++ Write-Progress -Id 28 -Activity 'Creating the final policy' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) @@ -444,6 +453,9 @@ Function New-KernelModeWDACConfig { Write-Verbose -Message 'Removing the GUID of the StrictKernelNoFlightRootsPolicy from user configuration' Remove-CommonWDACConfig -StrictKernelNoFlightRootsPolicyGUID | Out-Null + + Write-Verbose -Message 'Removing the time of deployment of the StrictKernelPolicy from user configuration' + Remove-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment | Out-Null } else { # Remove the Audit mode policy from the system @@ -454,8 +466,9 @@ Function New-KernelModeWDACConfig { Write-ColorfulText -Color Pink -InputText 'Strict Kernel mode Enforced policy with no flighting root certs has been created in the current working directory.' } if (!$Debug) { - Write-Verbose -Message 'Removing the DriverFilesScanPolicy.xml and the CIP file because -Debug parameter was not used' + Write-Verbose -Message 'Removing the DriverFilesScanPolicy.xml, CIP file and KernelModeDriversDirectory in Temp folder because -Debug parameter was not used' Remove-Item -Path ".\$PolicyID.cip", '.\DriverFilesScanPolicy.xml' -Force -ErrorAction SilentlyContinue + Remove-Item -Path $KernelModeDriversDirectory -Recurse -Force } Write-Progress -Id 28 -Activity 'Complete.' -Completed } @@ -503,8 +516,8 @@ Function New-KernelModeWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBa4yo5ifQ57ro7 -# HjoaZcWuNoySXj1RawJ7KtVwM2tAbKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBxEju7MovYNoFz +# T/QceA1rALlIV+PzbfOFqBVuev2WfqCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -551,16 +564,16 @@ Function New-KernelModeWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQg5YFrxDs4epjrcDsnQj5yWYjm3/If9xC3pvRf/Q905yUwDQYJKoZIhvcNAQEB -# BQAEggIAByDHvBGbw2xEmJZLcQQ9evV6bjpuxa8c+SEEjPK6JSccR6P5/SHVTRSd -# ZwGVphiT/apxKzqX4lV6UbVjT1T57eD/N7jwFkpGCFLB/yd8tjURSrEA3xVQhl3i -# 4UYwmzkUe8TWAouChnT+/1hJIYFcAkq/uVFAX1PWfWXOwXZ4UQB36cpr/x0jvPk5 -# aPWfN0iPxJwy9seykLgDaBiQel40D/o6T0Umy7vpkbYM8b1Cg79jSFEYkB7DUPlT -# sYDEmy20zxsdrIED2IZdJYj5yuFJlNiP5M+TS2YFFZVb9pR/4SNP/c0X2Px0BB1G -# RbgmhNKRPf5EPerEHx30dEv7BlqQzT6oBglN9sdqcM13gJVeVNUMhefzTZPoZzwW -# xPhBfvGSLlnAowIO/pti30iinDt/8BhdmxeB6UXVGJnjrdsW3xlsJGCZhgynp/6W -# gul8FODe3kxTtkbPRjjwkgR0vAM6HryLPM5duzFWlOMTGnUxoW56oKP7TugGgzLO -# ZcopziQSIAJyrsXIyhCE1rFIfs84JhvekBdLHOFSlwTqVV0SM5axHpDdXFAed2je -# P4Y5SyKkdU+YY+MuaIHPyLXn8nxRw94G5Julm11cMiDJXdv+4nRtiwS/+17SSjy8 -# iXybEBNZk5YmS3+8KErJZoNiDbqxeYJcDsymlko7GJ85+zSAOus= +# IgQgKKKaEAqV5G3upfp4Kntgy/vj4hPoXLK4ioEHnP5IvNMwDQYJKoZIhvcNAQEB +# BQAEggIAa6dC4aaEXxzT7RDJE1wIy4XLdznyrcCeZ4It+BgrrfHefhZVHRpaqBqd +# 9eSoW5WpRKfRhPf1Xc7KH/YyLrfWkbQ9ihf2t99k/mKi8lcb4tU5qCXeZP5LWJWi +# dhRpZkMBLtsHJRvyRaWLoyhgdqQ6d6I50R6l0u4KbjtUEAlOsUNs7Ti1uPIQfBJC +# OAbUv80iz+DNCeI3HHguA6dyy7cHjhhfQ/JhgHBMYzasUX8SVKGFD58RrIpIFS74 +# q7bcqSOwpZXyZSuZQjnHmWtgUgobOACGQgWAenidciHfSUpmG3fHfvC18iX9i/tj +# dEJbSEBFoodCYPeI1yIn/54YlusQY+2iDwkGGp12tX2dDYB56CP5kjLkj+bILTXl +# diEvgfJ8jnrJie3EBGX+CbBmwiKajonVW/5ihjaTYdhYxKvacqtLcHypGKJy7Pwe +# to6LaYuwZe3wfxK2BEqN5sY6cNG7ca2cO9u6KUOnkBv3JdRlEhikox5LX1EZY9nf +# ytF6Ft8WlU6EVpRQNWUNABSbj3Qng/1NOP1Y+nSTGZGB6OuFDaPDmn4OXQ2SXCyO +# JbL6HB1SCqc0LKcMId+p8J7BYySOIxi3SMtjLSlGwu7GtXe1gurdHEPHNKJ69eW+ +# XUy45JKXsg8kH1SdfFjXY3dPOcrcGmFVZUkXjdQ70zD4XTzVYhg= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 index 5e1cb9c2e..1d483a343 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 @@ -8,33 +8,37 @@ Function Remove-CommonWDACConfig { [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$SignedPolicyPath, [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$StrictKernelPolicyGUID, [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$StrictKernelNoFlightRootsPolicyGUID, - [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$LastUpdateCheck + [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$LastUpdateCheck, + [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$StrictKernelModePolicyTimeOfDeployment ) begin { # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" + # Assigning the path to the UserConfigurations.json file + [System.IO.FileInfo]$Path = "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" + # Create User configuration folder if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\")) { - New-Item -ItemType Directory -Path "$UserAccountDirectoryPath\.WDACConfig\" -Force | Out-Null + if (-NOT (Test-Path -Path (Split-Path -Path $Path -Parent))) { + New-Item -ItemType Directory -Path (Split-Path -Path $Path -Parent) -Force | Out-Null Write-Verbose -Message 'The .WDACConfig folder in the current user folder has been created because it did not exist.' } # Create User configuration file if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json")) { - New-Item -ItemType File -Path "$UserAccountDirectoryPath\.WDACConfig\" -Name 'UserConfigurations.json' -Force | Out-Null - Write-Verbose -Message 'The UserConfigurations.json file in \.WDACConfig\ folder has been created because it did not exist.' + if (-NOT (Test-Path -Path $Path)) { + New-Item -ItemType File -Path (Split-Path -Path $Path -Parent) -Name (Split-Path -Path $Path -Leaf) -Force | Out-Null + Write-Verbose -Message 'The UserConfigurations.json file has been created because it did not exist.' } # Delete the entire User Configs if a more specific parameter wasn't used # This method is better than $PSBoundParameters since it also contains common parameters - if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck) { - Remove-Item -Path "$UserAccountDirectoryPath\.WDACConfig\" -Recurse -Force + if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck -And !$StrictKernelModePolicyTimeOfDeployment) { + Remove-Item -Path $Path -Force Write-Verbose -Message 'User Configurations for WDACConfig module have been deleted.' # set a boolean value that returns from the Process and End blocks as well [System.Boolean]$ReturnAndDone = $true - + # Exit the begin block Return } @@ -49,20 +53,21 @@ Function Remove-CommonWDACConfig { Set-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" -Value '' } - # An object to hold the User configurations - $UserConfigurationsObject = [PSCustomObject]@{ - SignedPolicyPath = '' - UnsignedPolicyPath = '' - SignToolCustomPath = '' - CertificateCommonName = '' - CertificatePath = '' - StrictKernelPolicyGUID = '' - StrictKernelNoFlightRootsPolicyGUID = '' - LastUpdateCheck = '' + # A hashtable to hold the User configurations + [System.Collections.Hashtable]$UserConfigurationsObject = @{ + SignedPolicyPath = '' + UnsignedPolicyPath = '' + SignToolCustomPath = '' + CertificateCommonName = '' + CertificatePath = '' + StrictKernelPolicyGUID = '' + StrictKernelNoFlightRootsPolicyGUID = '' + LastUpdateCheck = '' + StrictKernelModePolicyTimeOfDeployment = '' } } process { - + # Exit the process block if ($true -eq $ReturnAndDone) { return } if ($SignedPolicyPath) { @@ -128,14 +133,38 @@ Function Remove-CommonWDACConfig { else { $UserConfigurationsObject.LastUpdateCheck = $CurrentUserConfigurations.LastUpdateCheck } + + if ($StrictKernelModePolicyTimeOfDeployment) { + Write-Verbose -Message 'Removing the Strict Kernel-Mode Policy Time Of Deployment' + $UserConfigurationsObject.StrictKernelModePolicyTimeOfDeployment = '' + } + else { + $UserConfigurationsObject.StrictKernelModePolicyTimeOfDeployment = $CurrentUserConfigurations.StrictKernelModePolicyTimeOfDeployment + } } end { - + # Exit the end block if ($true -eq $ReturnAndDone) { return } - # Update the User Configurations file - Write-Verbose -Message 'Saving the changes' - $UserConfigurationsObject | ConvertTo-Json | Set-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" + $UserConfigurationsJSON = $UserConfigurationsObject | ConvertTo-Json + + try { + Write-Verbose -Message 'Validating the JSON against the schema' + [System.Boolean]$IsValid = Test-Json -Json $UserConfigurationsJSON -SchemaFile "$ModuleRootPath\Resources\User Configurations\Schema.json" + } + catch { + Write-Warning -Message "$_`nclearing it." + Set-Content -Path $Path -Value '' -Force + } + + if ($IsValid) { + # Update the User Configurations file + Write-Verbose -Message 'Saving the changes' + $UserConfigurationsJSON | Set-Content -Path $Path -Force + } + else { + Throw 'The User Configurations file is not valid.' + } } <# .SYNOPSIS @@ -164,6 +193,8 @@ Function Remove-CommonWDACConfig { Removes the StrictKernelNoFlightRootsPolicyGUID from User Configs .PARAMETER LastUpdateCheck Using DontShow for this parameter which prevents common parameters from being displayed too +.PARAMETER StrictKernelModePolicyTimeOfDeployment + Removes the StrictKernelModePolicyTimeOfDeployment from User Configs .INPUTS System.Management.Automation.SwitchParameter .OUTPUTS @@ -180,8 +211,8 @@ Function Remove-CommonWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDUXIFN1xFceXUU -# qqIqj2EMWrByQtjg/BBD/HtYor8nlaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCOwTJyE1lilpc0 +# hd37deRoczCk1PsMUkWSPAn1RHdmpaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -228,16 +259,16 @@ Function Remove-CommonWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgylwQco/g2hTi3QkAmWwifX9V6O/h65vusvxiZ2XEIKwwDQYJKoZIhvcNAQEB -# BQAEggIAcDPMXUWowHy+MDkLLcOPl51H3cyqObTtta/fpfdRt2FTAEQDygjSusD8 -# D/Z3IKch1dmv1IbnRHHxPSFILsnuKbVbifk6pnfUAvXF5OZOM1+MlpHoDhJFrdkD -# 84MGD4zzKLJFY2kXKj/qo+sj8zPwONK5+d44VTGKLVt8ySGGad/ikWlOSg6OJwIl -# 342v8WmFOglxE3grkdzR7jIn6jTm5xMevKA+c8DdV8nPQiDrmdB9JY++Xp0udO7r -# MIljnY64F0qPQsg/mhh8RnIYbQY9YER/5V3Rjzq/LfHmrqemdYR9sUrUO2ihVuCC -# G55Hwu4ucJAnvRlZBQXO9zGUCzPCyIKP1JV05xPVWpqzltP6kYkLsvIWhO2UznPh -# RsUSDyna8DeQ9T6YaxpDlsTWUYGSj4I1wrwFai0j93wAgPZ2imqFRtDqYb/+CIPO -# yx7j3SkuMfkJmXsnqbSOIIeagtgv3IeVQoDKHGJCnTwSsszKuWA4Vj1GdLMTusat -# sxWoFL1gHDtd9JDabDcwVQwyisdVbIWpdtq4TnYh+aK/Y6G3rsa5YCc2QitjF0cW -# 1wbSP+w/efYPWzjPgsHumki7GM+zuU75Md8SSBy9sk5AxK+gW1q1ietUfVvqbpmg -# FbTVmZIj9Gbny/UeGagoGmqxOoECreOuY0n7xJUBK65ByssGRrk= +# IgQgosRTn6/vjqEgVpjkQZamW7pk4mbU0ANBQHok/geB+CAwDQYJKoZIhvcNAQEB +# BQAEggIAm5Nd50jwDmPcaRiZFlEX46z2HQqTF2VsNliZC9JDi3afpRNKG+77+Wpg +# hcX1yMJBfelbz1P3zCSzV4HtuF/mlnWWTaUT+ggClCkO5PQQP10D7UMU/PmyNcPu +# sywp4urfxgq/p9H1Vptyv1ERUpamDXcRRzBXln6NkImxd24JeYZlTTUJIQcJ4VzX +# sCrJMtgdetbRV0ISJzwHm36k5LAV+rXKo8HLtlj+Ivmq6ufOoKVOlGf4sthBHnmc +# gNtyfdq7OZQrGvpGHLh2PB11V9FC2Rz/y7ngGqgYvjToClfG4fBU/wEkSs/uNYxp +# osYhk0yNDKDh18NvQ5B01sDFPQnLKBYzi1m2HmzUpt1CmgPUwQPWs+PB1G2ihUKX +# ixFLl2I1Cdbqdhf1hO3UZV9d9eAtX3Wu9twlHfytT8bA+Wr6/Ugy7AUmFLE3sp4y +# wIzAmRe3GZNI3do8uXB0rJG4hQAskfBT/P4oSFNsKDtqiCpvnaG2lWcbT3JEVXBG +# aI3hh5WUQqEVFP8EY6w1Jtwp1PKN9RunWGHkMEBuh2Ogjj5m29tappyVWXb7lwKt +# ED6l+79I0XcywzVtSOTCbvfBjWUshSkRF+TjeREc2HdHksS09fftmVGGNRZXoTbw +# Rce5Wd/minc9Ss4rXd+30WjcN/KQRP7U3BxgU/JHG/ndY4aslwo= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Remove-WDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Remove-WDACConfig.psm1 index 620f21b9c..1d28a4b09 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Remove-WDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Remove-WDACConfig.psm1 @@ -54,7 +54,7 @@ Function Remove-WDACConfig { } # Count the number of duplicate CNs in the output array - [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object { $_ -eq $InputCN }).Count + [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object -FilterScript { $_ -eq $InputCN }).Count # If the certificate with the provided common name exists in the personal store of the user certificates if ($Output -contains $_) { @@ -455,8 +455,8 @@ Register-ArgumentCompleter -CommandName 'Remove-WDACConfig' -ParameterName 'Sign # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD70x6RuO6CSBrI -# 0NG0p76yRtaFoSYxVDoWYBG7zIR88aCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCB3e2uK/BNmaZad +# Y6oeXDFVS92d47ftgq6yPcn0joNAzqCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -503,16 +503,16 @@ Register-ArgumentCompleter -CommandName 'Remove-WDACConfig' -ParameterName 'Sign # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgn4jZPW2UJAdyyUQ/oKUYwjaJkB4qfNHf+TynA+MbeGEwDQYJKoZIhvcNAQEB -# BQAEggIAmZnguxvrm9E9jRYdz+6RTAFVIvBAGLBUWMSzMv1OprsA1VPxYZGl29pn -# zC6R74GjzBe8XqoTZbUScWZG7TV/YalziYafj5mS2TlKNVN2nGU5KGlccYT+Ro4/ -# Yf1B/+NInl3Xnu3/JbofCPf0G2Fdb8OC0SZJD6ZoLqLB4qvJdMRhU3dSAvgDaQ39 -# SExY6RqZv8nFzHFdaqTdLH1CZ0qq17zThQcY7FYs6Bc8HyOwHlc9jOTsOvq5vVS2 -# yrAv4J4ZM1mv2/7tRzIHhe8GlHBhq7tEJ4CQSvt/56CP+XdfFkdFI35B/rw1ccIP -# Oy33u2IxaX12fQUX49DS11DNDR3PtKRW3qouM0Z3GwZ6Ikhzw5hXY54l1DtcXAh0 -# xoQw6uFkKCyIgxsNHycMppPy7ugp1ekQOgJ4UcxvxSU8VQA0trJftLIQ5xkJZ0Ex -# nMOubVB7ee2f9Pe8WU88u95HQMCHltS2V7l+0jiKETZs/Q2fCnnJVEqiirLQscBG -# 7nMS2gp18wmt09E+UkFBMSY7cdCOK49DsE+VF/0XycM4XnujjU6n554HpKE5lwor -# 9T6TIQRPxKhaXnq/zWbBx4LZ8JVmM7ZdzFsyBn/t9Y+5eYZGXMdEwnLAGa7bsS+g -# E7VGatMrOgEB/SjQy74SuE0WwIHxIO+13OxZa+lh63Sw2mY2BzY= +# IgQgmki1IWersNkR3U2DtZZCYJ6fq/wuXsk8CYtkA6K6SXMwDQYJKoZIhvcNAQEB +# BQAEggIATFUO6nWaM2gOef7zRdcreBoN7XDckaAtsYQp5OadUh4ltyegqPfp+YsZ +# BcRqoq9bLvgJu/pChRnjV3ci61e2us2oNKTbhs6+LrL0afaTGBDvooWuyywsgAh5 +# 0raNhMFDU5GjvEjp8CwZlbiE4eZoUwrLHgf3DGg9kUJEQqhL4Qcn1THcHxzi3tnA +# Pe+AYGPztjl7YyJOhAe7XMOGxbLT6C179aHQ/HKCvKu2318HeEAKveIADuMXOG4z +# CP3fWTHo8O+t6geVOXu9Lq1IYW1aydgQl+qrCSaLlWqvkcgLhjc+Rz/ZivFAi8sT +# md2RKv49zcr3wuEFI/54udFJTTk6K+UimKg47kbxSD5nwkwAzR790cMICWVunwRJ +# wNqwbUbVk6mF5eTV2R5oI5VBjektiEQrGPqAo/tD2G7gV5M/1Ugb2pXkhhxdCpIk +# u72+KkTTMCsWS3vCY4avWx09UvWP5+JNUVDIo3yfhsRojUa+mnqi2AyvXo1p6rUF +# aTZ1g41l4BKQc5rxsetAS5LFDq0UpUms6g1R7NkiH82kvHPCQ1LQO+ltv/vhFVrV +# UAQy97DSEpo+wpm13ym79Fmta6gtkgkPKFpYhklfHP3cwdJa5GOa+j2oMg0U9hCm +# 41iw1ca9RXNjleTza3+4PMqTYiIGaONyY2yhYzoGoWixYp02Cvs= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 index 1b2406113..9b51cdde7 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 @@ -31,7 +31,7 @@ Function Set-CommonWDACConfig { } # Count the number of duplicate CNs in the output array - [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object { $_ -eq $InputCN }).Count + [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object -FilterScript { $_ -eq $InputCN }).Count # If the certificate with the provided common name exists in the personal store of the user certificates if ($Output -contains $_) { @@ -95,31 +95,35 @@ Function Set-CommonWDACConfig { [parameter(Mandatory = $false, DontShow = $true)][System.Guid]$StrictKernelPolicyGUID, [parameter(Mandatory = $false, DontShow = $true)][System.Guid]$StrictKernelNoFlightRootsPolicyGUID, - [parameter(Mandatory = $false, DontShow = $true)][System.DateTime]$LastUpdateCheck + [parameter(Mandatory = $false, DontShow = $true)][System.DateTime]$LastUpdateCheck, + [parameter(Mandatory = $false)][System.DateTime]$StrictKernelModePolicyTimeOfDeployment ) begin { # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" + if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck -And !$StrictKernelModePolicyTimeOfDeployment) { + Throw [System.ArgumentException] 'No parameter was selected.' + } + + # Assigning the path to the UserConfigurations.json file + [System.IO.FileInfo]$Path = "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" + # Create User configuration folder if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\")) { - New-Item -ItemType Directory -Path "$UserAccountDirectoryPath\.WDACConfig\" -Force | Out-Null + if (-NOT (Test-Path -Path (Split-Path -Path $Path -Parent))) { + New-Item -ItemType Directory -Path (Split-Path -Path $Path -Parent) -Force | Out-Null Write-Verbose -Message 'The .WDACConfig folder in the current user folder has been created because it did not exist.' } # Create User configuration file if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json")) { - New-Item -ItemType File -Path "$UserAccountDirectoryPath\.WDACConfig\" -Name 'UserConfigurations.json' -Force | Out-Null - Write-Verbose -Message 'The UserConfigurations.json file in \.WDACConfig\ folder has been created because it did not exist.' - } - - if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck) { - Throw [System.ArgumentException] 'No parameter was selected.' + if (-NOT (Test-Path -Path $Path)) { + New-Item -ItemType File -Path (Split-Path -Path $Path -Parent) -Name (Split-Path -Path $Path -Leaf) -Force | Out-Null + Write-Verbose -Message 'The UserConfigurations.json file has been created because it did not exist.' } # Trying to read the current user configurations Write-Verbose -Message 'Trying to read the current user configurations' - [System.Object[]]$CurrentUserConfigurations = Get-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" + [System.Object[]]$CurrentUserConfigurations = Get-Content -Path $Path # If the file exists but is corrupted and has bad values, rewrite it try { @@ -127,19 +131,20 @@ Function Set-CommonWDACConfig { } catch { Write-Verbose -Message 'The user configurations file exists but is corrupted and has bad values, rewriting it' - Set-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" -Value '' + Set-Content -Path $Path -Value '' } - # An object to hold the User configurations - $UserConfigurationsObject = [PSCustomObject]@{ - SignedPolicyPath = '' - UnsignedPolicyPath = '' - SignToolCustomPath = '' - CertificateCommonName = '' - CertificatePath = '' - StrictKernelPolicyGUID = '' - StrictKernelNoFlightRootsPolicyGUID = '' - LastUpdateCheck = '' + # A hashtable to hold the User configurations + [System.Collections.Hashtable]$UserConfigurationsObject = @{ + SignedPolicyPath = '' + UnsignedPolicyPath = '' + SignToolCustomPath = '' + CertificateCommonName = '' + CertificatePath = '' + StrictKernelPolicyGUID = '' + StrictKernelNoFlightRootsPolicyGUID = '' + LastUpdateCheck = '' + StrictKernelModePolicyTimeOfDeployment = '' } } process { @@ -217,13 +222,40 @@ Function Set-CommonWDACConfig { Write-Verbose -Message 'No changes to the Last Update Check property was detected.' $UserConfigurationsObject.LastUpdateCheck = $CurrentUserConfigurations.LastUpdateCheck } + + if ($StrictKernelModePolicyTimeOfDeployment) { + Write-Verbose -Message 'Saving the supplied Strict Kernel-Mode Policy Time Of Deployment in user configurations.' + $UserConfigurationsObject.StrictKernelModePolicyTimeOfDeployment = $StrictKernelModePolicyTimeOfDeployment + } + else { + Write-Verbose -Message 'No changes to the Strict Kernel-Mode Policy Time Of Deployment property was detected.' + $UserConfigurationsObject.StrictKernelModePolicyTimeOfDeployment = $CurrentUserConfigurations.StrictKernelModePolicyTimeOfDeployment + } } end { - # Update the User Configurations file - Write-Verbose -Message 'Saving the changes' - $UserConfigurationsObject | ConvertTo-Json | Set-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" - Get-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" | ConvertFrom-Json | Format-List -Property * + $UserConfigurationsJSON = $UserConfigurationsObject | ConvertTo-Json + + try { + Write-Verbose -Message 'Validating the JSON against the schema' + [System.Boolean]$IsValid = Test-Json -Json $UserConfigurationsJSON -SchemaFile "$ModuleRootPath\Resources\User Configurations\Schema.json" + } + catch { + Write-Warning -Message "$_`nclearing it." + Set-Content -Path $Path -Value '' -Force + } + + if ($IsValid) { + # Update the User Configurations file + Write-Verbose -Message 'Saving the changes' + $UserConfigurationsJSON | Set-Content -Path $Path -Force + + # Display the updated User Configurations + $UserConfigurationsObject + } + else { + Throw 'The User Configurations file is not valid.' + } } <# .SYNOPSIS @@ -253,6 +285,9 @@ Function Set-CommonWDACConfig { .PARAMETER LastUpdateCheck Last time the Update policy was checked for updates Used internally by the module +.PARAMETER StrictKernelModePolicyTimeOfDeployment + Time of deployment of the Strict Kernel-Mode policy + Used internally by the module .INPUTS System.IO.FileInfo System.DateTime @@ -280,8 +315,8 @@ Register-ArgumentCompleter -CommandName 'Set-CommonWDACConfig' -ParameterName 'U # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDw9TYS/Hu6MPJP -# he3QlRy8osjynqdtAN8BLpePx0Q5OKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA78jNLmU+iEoEy +# h9B+CJiL2euTpXBgiYVe2FXzPc2KU6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -328,16 +363,16 @@ Register-ArgumentCompleter -CommandName 'Set-CommonWDACConfig' -ParameterName 'U # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgZzRHhPBnvd5AMtuJem31TZ4G+oQ6Tmj3Qw5seIqiCtAwDQYJKoZIhvcNAQEB -# BQAEggIAg7bHth51OPRwsf/zlmiJOn4ikUNWmq2mislZ+GJUQ1kXn2usoLHjDA2Y -# r/ouC4WqVvWUgs6aN7KWNaY7239ZMEgLTGDMpTkdF7TcI+VsdokbFhjCKtPA49cd -# w1Uu+cSQvspCROWWiyoNqdk3sJTYaOOvkCP5/2fP9Fqz/Z6KFpUZWRatx1X7RT0o -# kiHNW7Vef9PIK84HfF3/S7fYEt2v1/WqiDAxuTWgAByZQqz5iMrLb6Bxd9eXDKn3 -# cj7/a7OdpDSTn51EYDQWZdNCm7Z4AqxJl2OACc0YKmDKT+cxpF6z0fVDlrBeGbWc -# ZC1nUHgypjLdAU2oETI8YPl/VMic3jozKV+9sF9A7+Z+CkQXpNxCLz7fgV87bTb1 -# ZKx//CMRXo/SaRmSYI9IoXV8hSK/Pjxc4gmZ8LeRFWkyPyRXJfi3V3YNWk7zb83f -# dLMTbsq7narzX86DPQ5lFBqleCr4tO7xaxclhfAxJyAwCNCSRJmx50cJvoHE3Cgt -# +sVLlegzr7SW7ZAb2R58GfwNG20eurmXKJQQ86Ef+VHcCV7fI96a9zYDV3x1RBuO -# f/wdvb4HoeZOixM54OtsPWQrUkTMPFjoLWwcNq8aqkNPCKqHyNLC2D2C3UBZS4uV -# XP2y5JRUeEJKfvD29whNXeLHUZ+k+2+9K+J4ahRwj3qVVy+uv/Y= +# IgQgA+wzKzO/1DYHMPgAx/OHjlgvoLv40MBS3HajFunu4HYwDQYJKoZIhvcNAQEB +# BQAEggIAHdtSShDe9+TmPCeaCDoVGUVN4sbbDiU0SRPVIlu7AglCWBYKH5UQrrA0 +# q5ORdq73Fso4ANee84RyygJB10+qWlJxfi3c1PXpmRzZaiPMezuT+1pPnI5mtGE2 +# bXNrAVVy2hoWK9pvPKy2J0KHxwxRDER/QHUTm8931kXpvmKZcLaAcNPW2tZazyJz +# Yn4FlPijRDLmM1BJ0poBTQl/IVH1mXgY3nKbuQZUqL0MIZiZLSX2p0RNY0YCqkeb +# 8wKv4oLY7LMY16SeIDq9CtCqmH/aD6XvvtW+VyJCTwJWkGz+0lNFLqitiBXuonl6 +# dzS0mfg1TQkLvDJCRuLcTLlyQHAuu3Pmnb1QKRAgVG3ArnCIDZUvEiYC4x0W61Ne +# W5BJK4vE9AIqyrEo0Uy9gH5Y+ieByNYa12Rv5i0gdIqJYeqw7vD9ogUATcb46hlf +# E+TTfXdiDkpNYBmpKXKViOcLYhVGb6a0Ox/wpRqHhXN+hyeoIUGYPep1QwKcTjd5 +# lfwzAgoIHdeDjasjf1aqlbUjYvujr6IpIf7G+ZlQ6sC3f9BdguvAAYOWMlHfhvtN +# fEz4aYYDUPCPXjAVeVvllNiN15WdBAxIHOuAF/YTRmZoa8nyLmRltFyTwcDcOM9y +# gWMgsaZJUfAAh4yX684CL4kAiPJO49ktaS3kprOzzQ1BlYCnOeY= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 b/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 index 352c3c8b7..25b3dc198 100644 --- a/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 +++ b/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 @@ -25,14 +25,15 @@ $PSDefaultParameterValues = @{ 'Write-ColorfulText:Verbose' = $Verbose 'New-SnapBackGuarantee:Verbose' = $Verbose 'Compare-SecureStrings:Verbose' = $Verbose + 'Get-KernelModeDriversAudit:Verbose' = $Verbose 'Test-Path:ErrorAction' = 'SilentlyContinue' } # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAq/YkLjJjtBehP -# sLXkIUKnijkmyTYFBvH3HE7h2gQ3laCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAavzUGHdyJ3I+w +# OIj3l5bxX1qsMhDsElMnxwsFZooSLaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -79,16 +80,16 @@ $PSDefaultParameterValues = @{ # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgBsVei4uZFqCjRJkjIYhhDwoTfFDtLMT88a35joPnAF8wDQYJKoZIhvcNAQEB -# BQAEggIAHEeRWySIQRkKPzBdxU9+e7tCA4h9EBxWKsoy3+gwz6Erd6F1iGJNQ5lH -# pJVzLKO5AQB2aFK8of9x2q2aD9mzMrZSj34QvNUfN/XmW77zGZCYdGSt0wKz0Ix8 -# vUStrzhUgxioVuTJZLfSSEHohQqUJ8PI/acgqwq2C34HFREa4jjBaA6j41R20vMO -# RipGVrAtSbzSLpfLpXeoZrmuxugaURNJjZboNf1FVz+Odll6PoaFNGyuOuwyzbGF -# kSE/KTLt2lXpwkkLZRCyQC4KnDJ/F58HUDfh4iquS8jz9A7CzNueyI4LBkxfiadR -# HCIx99U5lZ7HutxiNDkW6SdHcHIxxCADWDciuoX3N/fz6UibFbr98B4Oo4Z2lMKc -# /2gYi/x7BO0ikJ5t1k5+/MA6OHTrPKpSiz1xUkeEX2bBT5stz/Qnx0sjZBLKu53h -# J2+i+C5aM5XghJxYjl2y5wickHkIOqESqvMgmPuEAiKyU+08D4/0+lgt8HXNIq9F -# QBJOsgA1538fEOvZaP5069JrIiHtnu6uKM+GzHnQqq9PHRyS5uTEd+9TjVueKyCj -# ePhBhUQbVV78x7hIVN8YuYHv+AR3scopNHTkbbqxQrPeL3BAlgHKoS5ki8RUQbFU -# Ug4dxa6QYqx7Da146FkklYBI/02EPQLnnZQ4UfTzLH62ZTmeShQ= +# IgQgu8iEkljlv5xO0xI4cExICeQZT/joQoFv2ddHPFszyigwDQYJKoZIhvcNAQEB +# BQAEggIAlQUdwg8+wtYdrpbyscx+grjjQLH7KVm9872qnH7eLnWgDTd+xFnsy6EM +# Zk7pGSyYt+Dx6/oWE9SU2+dCjCOq0/eFyTlhC+Jy4Mt7ZsneBaLWHBzNeI+DT4bM +# qylINYjgHqbMQtgL1rcwH6gZh12UBcVHuNuwyguFSm0SbCZKWEId/Q2A8EAlaf0A +# 2/HUZEs278x5MZ5MBIYP4RKHFLTvxUl3XG+7+OZGBVw7VevCcBXQtjMgKoYxjtt9 +# fHt1unFBeGCzVjEE5i/QEnYucX/uzTIdlk9Aq6nScNXwltdWFQdrZNPkSXtyU5do +# CZH+wbEF9V3IN9ycjtqvNgb3LLhCzGaq4rdXtRZO1Tu5RP70FjILHlftXjYU/45Q +# Jo7hJph1KLZmrCIbrgFRe9F+GBN3uiU6stbiTnDW0oQibXRb+fWrOdB8F1EnxUaG +# g/fbbeoSYOZ0WMhI0exosr8yWJIUAKxKkmIttPvb84B10qTk0uZ4sWtaT68wbj3t +# F3y9t21bXWmZ9vKl/8WgNV0yZwUMyFPpRD4z00v+eHoSfAwGqdqLgyOXgGIYPvv2 +# I55El6cZc2bfdjHi2XFle8ufqNIbUVYDwlq7+GknPMGIqZwH46BMNZj0q+ZBOPeE +# fro+r3uD/Kelphb3TG+djHoBBGwDtUp0zlSZ6dlapMFNJ/IIWVA= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Preloader.ps1 b/WDACConfig/WDACConfig Module Files/Preloader.ps1 index fb6fad84f..77d1a2b4f 100644 --- a/WDACConfig/WDACConfig Module Files/Preloader.ps1 +++ b/WDACConfig/WDACConfig Module Files/Preloader.ps1 @@ -5,7 +5,7 @@ if (!$IsWindows) { # Specifies that the WDACConfig module requires Administrator privileges #Requires -RunAsAdministrator -# Create tamper resistant global variables (if they don't already exist) +# Create tamper resistant global variables (if they don't already exist) - They are automatically imported in the caller's environment try { if ((Test-Path -Path 'Variable:\MSFTRecommendedBlockRulesURL') -eq $false) { New-Variable -Name 'MSFTRecommendedBlockRulesURL' -Value 'https://raw.githubusercontent.com/MicrosoftDocs/windows-itpro-docs/public/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md' -Option 'Constant' -Scope 'Global' -Description 'User Mode block rules' -Force } if ((Test-Path -Path 'Variable:\MSFTRecommendedDriverBlockRulesURL') -eq $false) { New-Variable -Name 'MSFTRecommendedDriverBlockRulesURL' -Value 'https://raw.githubusercontent.com/MicrosoftDocs/windows-itpro-docs/public/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md' -Option 'Constant' -Scope 'Global' -Description 'Kernel Mode block rules' -Force } @@ -15,25 +15,12 @@ try { if ((Test-Path -Path 'Variable:\OSBuild') -eq $false) { New-Variable -Name 'OSBuild' -Value ([System.Environment]::OSVersion.Version.Build) -Option 'Constant' -Scope 'Script' -Description 'Current OS build version' -Force } if ((Test-Path -Path 'Variable:\UBR') -eq $false) { New-Variable -Name 'UBR' -Value (Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'UBR') -Option 'Constant' -Scope 'Script' -Description 'Update Build Revision (UBR) number' -Force } if ((Test-Path -Path 'Variable:\FullOSBuild') -eq $false) { New-Variable -Name 'FullOSBuild' -Value "$OSBuild.$UBR" -Option 'Constant' -Scope 'Script' -Description 'Create full OS build number as seen in Windows Settings' -Force } + if ((Test-Path -Path 'Variable:\ModuleRootPath') -eq $false) { New-Variable -Name 'ModuleRootPath' -Value ($PSScriptRoot) -Option 'Constant' -Scope 'Global' -Description 'Storing the value of $PSScriptRoot in a global constant variable to allow the internal functions to use it when navigating the module structure' -Force } } catch { Throw [System.InvalidOperationException] 'Could not set the required global variables.' } -# A constant variable that is automatically imported in the caller's environment and used to detect the main module's root directory -# Create it only if it's not already present, helps when user tries to import the same module version over and over again without closing the PowerShell session -try { - Get-Variable -Name 'ModuleRootPath' -ErrorAction Stop | Out-Null -} -catch { - try { - New-Variable -Name 'ModuleRootPath' -Value ($PSScriptRoot) -Option 'Constant' -Scope 'Global' -Description 'Storing the value of $PSScriptRoot in a global constant variable to allow the internal functions to use it when navigating the module structure' -Force - } - catch { - Throw [System.InvalidOperationException] 'Could not set the ModuleRootPath required global variable.' - } -} - # Make sure the current OS build is equal or greater than the required build number if (-NOT ([System.Decimal]$FullOSBuild -ge [System.Decimal]$Requiredbuild)) { Throw [System.PlatformNotSupportedException] "You are not using the latest build of the Windows OS. A minimum build of $Requiredbuild is required but your OS build is $FullOSBuild`nPlease go to Windows Update to install the updates and then try again." @@ -57,8 +44,8 @@ foreach ($File in (Get-ChildItem -Recurse -File -Path $ModuleRootPath -Include ' # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDMg1DbL/rhhOcS -# zQVMaeJj8/hpvVzv0R5WUphR3ksGI6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC+kKF0TrvUydR3 +# RoeBV1rvokHfEf+EaUs3+W4GaAT1Q6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -105,16 +92,16 @@ foreach ($File in (Get-ChildItem -Recurse -File -Path $ModuleRootPath -Include ' # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgUplmeRqAicEvN3LDWbzqAkrsJvqCxayFqgBVpbEfLcUwDQYJKoZIhvcNAQEB -# BQAEggIAYoN0XRAlZ4Xl+7u1/gLwm9vYyn6tNHinAuwbAVwU3Bw8bUw43QjXuoHJ -# 43+Glfq8+Q4pfZlN5t7rZtduVQJW3CnrSKSTtTXOIo+ZiqMbYeM1WaOBhClNma0g -# 3tU8WqSZP7Jhi8u3WhXKCHagou6kTtnyakO9WFGTbt2dvRVbPBHgIwmAjq4hHP33 -# QZvxBAhzzzqug073kEhdULqHXkcbept10CO1HrGZvc4pirMDpdyg93fFGnIJTxcl -# AqxMQRyUIf7wrJCnccQpPUqiYMRHpRCIHDjB2T+5hu0N6nPlNg5c+UBX8m8PMQiQ -# 6uMNybnKOVKfHDG4YHS71MPOOEG13K73aO1tMe4p4NEHwK0cfA2Uuic4QSKU181y -# +l2CQjR99UADY8LBq0Up+tgFZy/qXgPaf36kXlMZkNhr0N6esR/seBQxhgP0h2cG -# 6mHef7X2K+/8Ox7NYd2synLg87JE0vsR+3DKO4p+ySK1dQYI3NCbwkP5piFMrslo -# D81gaUxTqcz87Ud41gBnb8ghANoEf1gBXNwhRk+TeUhC/NC+yff+B/EsuFWha4nM -# 76IthWnFuOWjZb6DpNd0tuKopt3Plt6NiwI+pxsDmsUD480Fpf3iQRoAwAHXsXbw -# 4OWYJXSTqGYd/n5r03KmhKvcR7NeyC/gRuTPXkOe3I0J2QuqZRo= +# IgQgmDpTjxwOYh1M6Y065UoecdVoRJvpEgntMRJmT/plNtYwDQYJKoZIhvcNAQEB +# BQAEggIAU7291Emtgs+t3GrSJWprk+JNz1i4usoWfhjVoPRivTCoU9B6U0m0/Rmh +# qHy+oQASDCG7/X/4ih14mWOGMTn2E7Y8YwX32Va23QQctgnMwiFl69LYqmihIhAx +# 1lcYYkvMujOMOwNF0ixbwpiZ5SbwpcHHl1xpHJYGHDavB690XF46P+pBsAfVxoOP +# cpTM7DTtvyiKFnwH5cbjkalQtARbAY5iwLSdEApsubPA8PPXbnxFHV1MVqrIuSSR +# QoXBDCIL/79eu+BT10v0aElyG9JlLPKmuqq8RObd984Z5EWvoDq6Xmu1peBeYF+M +# /TnL4eDYI1VMSgzIU6oHhCc+7qaK4ivScdxOPYOkVo/9aM1Q17G/FmffIuWEd3Io +# AlcJu1AJA5sn2bx7jkWcEB2YJYbwIjBQ+YFmrJEeaBiW8rvgO/48zWotWrAFWG4p +# iP77twapyCSgt5HpeoSyt3QtWkzbazvy6vESSpFpHOONieBMRitl+7R0pOZQC9M6 +# U/bBs1uzURb+T8ER1RQKrbK6ATc+amPPzomBwt0TKm3XPsd4lIUHhyrOKlWtLeDH +# FEwZlWJpFRFGRwX6NeQpDx6Nl8FtH1EhVuhoMqSraOAhqQ4hbn3l440Dk9iRj1SK +# Ui3JTnsQSqd6doTgxwxtteWeIYql6wRGh+chCyDfEishLVbOxN4= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json b/WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json new file mode 100644 index 000000000..ec97e8189 --- /dev/null +++ b/WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json @@ -0,0 +1,121 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "type": "object", + "title": "WDACConfig User Configurations", + "description": "WDACConfig User Configurations", + "maxProperties": 9, + "minProperties": 9, + "required": [ + "SignedPolicyPath", + "UnsignedPolicyPath", + "SignToolCustomPath", + "CertificateCommonName", + "CertificatePath", + "StrictKernelPolicyGUID", + "StrictKernelNoFlightRootsPolicyGUID", + "LastUpdateCheck", + "StrictKernelModePolicyTimeOfDeployment" + ], + "properties": { + "SignedPolicyPath": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The SignedPolicyPath Schema", + "examples": [ + "C:\\Signed Policy.xml" + ] + }, + "UnsignedPolicyPath": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The UnsignedPolicyPath Schema", + "examples": [ + "C:\\UnsignedPolicy.xml" + ] + }, + "SignToolCustomPath": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The SignToolCustomPath Schema", + "examples": [ + "C:\\signtool.exe" + ] + }, + "CertificateCommonName": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The CertificateCommonName Schema", + "examples": [ + "HotCakeX Code Signing" + ] + }, + "CertificatePath": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The CertificatePath Schema", + "examples": [ + "C:\\Code Signing Certificate.cer" + ] + }, + "StrictKernelPolicyGUID": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The StrictKernelPolicyGUID Schema", + "examples": [ + "7866e1e2-52e2-4902-a630-3e9473ed07a0" + ] + }, + "StrictKernelNoFlightRootsPolicyGUID": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The StrictKernelNoFlightRootsPolicyGUID Schema", + "examples": [ + "6be72abf-b1c0-4246-95a7-d7c2c2f44a3a" + ] + }, + "LastUpdateCheck": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The LastUpdateCheck Schema", + "examples": [ + "2024-01-15T09:11:11.6918283+02:00" + ] + }, + "StrictKernelModePolicyTimeOfDeployment": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The StrictKernelModePolicyTimeOfDeployment Schema", + "examples": [ + "2024-05-15T09:11:11.6918283+02:00" + ] + } + } +} \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/DefaultWindows_Enforced_Kernel.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/DefaultWindows_Enforced_Kernel.xml new file mode 100644 index 000000000..757a47255 --- /dev/null +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/DefaultWindows_Enforced_Kernel.xml @@ -0,0 +1,155 @@ + + + 10.0.3.0 + {0510F47B-39BB-43BB-85AA-348FB15CE9C6} + {0510F47B-39BB-43BB-85AA-348FB15CE9C6} + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + DefaultWindowsEnforced + + + + + 022422 + + + + \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml new file mode 100644 index 000000000..720710135 --- /dev/null +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml @@ -0,0 +1,131 @@ + + + 10.0.3.0 + {0510F47B-39BB-43BB-85AA-348FB15CE9C6} + {0510F47B-39BB-43BB-85AA-348FB15CE9C6} + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + DefaultWindowsEnforced + + + + + 022422 + + + + \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/Readme.md b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/Readme.md new file mode 100644 index 000000000..906b5a54b --- /dev/null +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/Readme.md @@ -0,0 +1,3 @@ +The following XML files are for strict kernel-mode type policies prior to using the Merge-CIPolicy cmdlet which helps to automatically remove the non-kernel-mode EKUs, Singer etc. + +These policies are no longer used by the WDACConfig module and are just kept for informational purposes. \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml index 757a47255..67fec4ad9 100644 --- a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml @@ -8,18 +8,12 @@ - - - - - - @@ -29,18 +23,12 @@ - - - - - - - + + + - - - + @@ -55,7 +43,6 @@ - @@ -68,45 +55,9 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - @@ -120,25 +71,8 @@ - - - - - - - + + 0 diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml index 720710135..53b156bd9 100644 --- a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml @@ -8,18 +8,12 @@ - - - - - - @@ -29,18 +23,12 @@ - - - - - - - + + + - - - + @@ -55,37 +43,9 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - @@ -96,25 +56,8 @@ - - - - - - - + + 0 diff --git a/WDACConfig/WDACConfig Module Files/Shared/Confirm-CertCN.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Confirm-CertCN.psm1 index eaf6c2824..47ccd4f7e 100644 --- a/WDACConfig/WDACConfig Module Files/Shared/Confirm-CertCN.psm1 +++ b/WDACConfig/WDACConfig Module Files/Shared/Confirm-CertCN.psm1 @@ -1,7 +1,7 @@ Function Confirm-CertCN { <# .SYNOPSIS - Function to check Certificate Common name - used mostly to validate values in UserConfigurations.json + Function to check Certificate Common name - used mostly to validate values in the user configurations file .PARAMETER CN Common name of the certificate to check .INPUTS @@ -60,8 +60,8 @@ Export-ModuleMember -Function 'Confirm-CertCN' # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA7dZCJ2D4iMY7g -# sCB59Fa1mpK7qIMs2Q9coo3Ocbob4KCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCClTKhPScy+GGSv +# NtwnVnmFlV3FVKWW9WN2FKupDCLKqKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -108,16 +108,16 @@ Export-ModuleMember -Function 'Confirm-CertCN' # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQg6bWHvT7HswyOrHK1Hq6QNsgSUIB55mvFkN8CmXL5fckwDQYJKoZIhvcNAQEB -# BQAEggIAM3a3PngWd1xsi5JnJT/dMiOZFsR8c0NnZtglxYip2HtdbJ9jyyVzq9Im -# 4Pq3TGmrwacPYw84JlpzQl4MSdhqmMaaCZVl4skIHRIjPcq3iu+E6eaL4+H7D1Cl -# aiqlmH3E1iRTXE+I53vEiMDspZcLeHKoXkZCFhHc7adJwThZ1c2TLxHzb+lubvp8 -# gC7DIe5DZpky1gMpzwMTZY9/i/LrQq2OjpSLM+WnxEpSHi6EcrSEJfHrRt7HeMxd -# oDbnVQ1aHdWrFq7+Dc4kMfjf1YplFd6od171V2GQeiErTYtj5TnjjC8tD/xLQKxf -# rbDL9c3bxMK69vmRqujv5uTpHkbGcoZZ3YD65noE86lG0F5mMBxqBxn0Za0BKrD+ -# Tp2dWtSM0a1Y0uP+gyl2POV+m+M7aAzaxAJkFNrpwkHzNxmokIF7PpjC/9DwSR/X -# ITIEi03vN4CYDK2GTMG/DvI3K2qri6eZcOjQLLed3NaLVJ9ZE+py8fybdpVJJcSq -# 3tToF/gxhael3xxKDgvRl2M0Ad50vq+urGKBJE60nFVo6jHrmpgLWE+uNEnLzU7m -# 1J45uVNlvuM74oxI2FuDpfsBP6F/iqkvSD4kIYzmZJHVcs7m1yj91XCtB/sp4wZ/ -# XXIVoePfHa9awwwtMcL5+Sp4KhIzXG2jjmH+9JsnKMWGS8DqC5o= +# IgQgc9KQVhwhfZXgWNTOfa8zpVueoy8MvnR6xvrPPPgz6JkwDQYJKoZIhvcNAQEB +# BQAEggIANti5xjvZWp6YgeOJhJzLin5JnkPq/7n0HYfP3GF19+HmDO0BZ+Yp3beq +# Q6CtOWPjI4IibztgvdldS3/4NCK5WEbXedkd3VHsICcd3DlnfSxB2F35f7WB4QfX +# j21DgYgJNzs8Gtc2TAoWSW0M0eAM+5m2olEAiNJ0TVTa59/VpdWeugF6yrLuBk2H +# 5RMhrX6WRYgN3aeNg1FTjmbXYwkyzzhQWpuO6PIsTcMx1dywvMWQ4QFXq3GVpiFc +# tcX7azsmqij8V46K1IG7aLULMUzBafYUnosv6c2jzbuolgaw5Q7smdpCMUt5TySr +# hW0136C3aHMw0SSnrA5TkAA8Ik8+e3jco8ufj3RnU9HDuUCGuByKNwDE+LPUnh2J +# y5JEtUF928YqzdyYGykeNAxwRbC0zPCMt4NSZ/c0NE2O6Tw/oz8Fvb/lN5yiscqp +# 9qhsUPIVbxuxFPp+MON5UVz+OQCX0Wgf8V+ocn5V/CWSPzm1LWzY2oa8ydeftZwf +# 6Z3/0NKbx1LrD85Ly/nYhxZlaSmpfSQ7tuGCRBWUdSyhEHp9ytZslJt5CXyySxP5 +# Hi1FHGu5Af0qyNecV6X25/7oMiGPQ6+XWYkuyVOrxl6xhRu84A9IPCFKLy4EAi92 +# 20IYwkNPlPV5LYTy/+iCYMwS8uDxBiL9TwBO0RKemUVmy4xi+O4= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 new file mode 100644 index 000000000..f11a019fb --- /dev/null +++ b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 @@ -0,0 +1,169 @@ +Function Get-KernelModeDriversAudit { + <# + .DESCRIPTION + This function will scan the Code Integrity event logs for kernel mode drivers that have been loaded since the audit mode policy has been deployed + and will return a folder containing symbolic links to the driver files. + It does this by: + 1. Scanning the Code Integrity event logs for kernel mode drivers that have been loaded since the audit mode policy has been deployed + 2. Converting each event to XML + 3. Converting the XML to a PowerShell object + 4. Replacing the global root file paths with the drive letters to create consumable paths + 5. Removing duplicates based on SHA256 hash + 6. Saving the file paths to a variable + 7. Filtering based on files that exist with .sys and .dll extensions + 8. Removing duplicates based on file path + 9. Creating a temporary folder to store the symbolic links to the driver files + 10. Creating symbolic links to the driver files + 11. Returning the folder containing the symbolic links to driver files + .INPUTS + None + .OUTPUTS + System.IO.DirectoryInfo + .NOTES + Get-SystemDriver only includes .sys files, but Get-KernelModeDriversAudit function includes .dll files as well just in case since they appear in event logs when auditing kernel-mode files. + #> + [CmdletBinding()] + param() + + begin { + # Importing the $PSDefaultParameterValues to the current session, prior to everything else + . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" + + # Importing the required sub-modules + Write-Verbose -Message 'Importing the required sub-modules' + Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Get-GlobalRootDrives.psm1" -Force + + # Get the local disks mappings + [System.Object[]]$DriveLettersGlobalRootFix = Get-GlobalRootDrives + + [System.IO.FileInfo[]]$KernelModeDriversPaths = @() + [System.Object[]]$RawData = @() + + [System.DateTime]$ScanStartDate = Get-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment + } + + process { + # Event Viewer Code Integrity logs scan for Audit logs based on the input date + foreach ($Event in Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; ID = 3076 } -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.TimeCreated -ge $ScanStartDate } ) { + + # Convert the event to XML + $Xml = [System.Xml.XmlDocument]$Event.toxml() + + # Convert the XML to a PowerShell object + $Xml.event.eventdata.data | ForEach-Object -Begin { $Hash = @{} } -Process { $Hash[$_.name] = $_.'#text' } -End { [pscustomobject]$Hash } | ForEach-Object -Process { + + # Define the regex pattern + [System.String]$Pattern = '\\Device\\HarddiskVolume(\d+)\\(.*)$' + + # Replace the global root file paths with the drive letters to create consumable paths + if ($_.'File Name' -match $Pattern) { + [System.Int64]$HardDiskVolumeNumber = $Matches[1] + [System.String]$RemainingPath = $Matches[2] + [PSCustomObject]$GetLetter = $DriveLettersGlobalRootFix | Where-Object -FilterScript { $_.devicepath -eq "\Device\HarddiskVolume$HardDiskVolumeNumber" } + [System.IO.FileInfo]$UsablePath = "$($GetLetter.DriveLetter)$RemainingPath" + $_.'File Name' = $_.'File Name' -replace $Pattern, $UsablePath + } + # Add the processed object to the array of raw data + $RawData += $_ + } + } + + Write-Verbose -Message "RawData count without processing: $($RawData.count)" + + Write-Verbose -Message 'Removing duplicates based on SHA256 hash' + $RawData = $RawData | Group-Object -Property 'SHA256 Hash' | ForEach-Object -Process { $_.Group[0] } + + Write-Verbose -Message "RawData count after deduplication based on SHA256 hash: $($RawData.count)" + + Write-Verbose -Message 'Saving the file paths to a variable' + [System.IO.FileInfo[]]$KernelModeDriversPaths = $RawData.'File Name' + + Write-Verbose -Message 'Filtering based on files that exist with .sys and .dll extensions' + $KernelModeDriversPaths = $KernelModeDriversPaths | Where-Object -FilterScript { ($_.Extension -in ('.sys', '.dll')) -and ($_.Exists) } + + Write-Verbose -Message "KernelModeDriversPaths count after filtering based on files that exist with .sys and .dll extensions: $($KernelModeDriversPaths.count)" + + Write-Verbose -Message 'Removing duplicates based on file path' + $KernelModeDriversPaths = $KernelModeDriversPaths | Group-Object -Property 'FullName' | ForEach-Object -Process { $_.Group[0] } + + Write-Verbose -Message "KernelModeDriversPaths count after deduplication based on file path: $($KernelModeDriversPaths.count)" + + Write-Verbose -Message 'Creating a temporary folder to store the symbolic links to the driver files' + [System.IO.DirectoryInfo]$SymLinksStorage = New-Item -Path ($UserTempDirectoryPath + 'SymLinkStorage' + $(New-Guid)) -ItemType Directory -Force + + Write-Verbose -Message 'Creating symbolic links to the driver files' + Foreach ($File in $KernelModeDriversPaths) { + New-Item -ItemType SymbolicLink -Path "$SymLinksStorage\$($File.Name)" -Target $File.FullName | Out-Null + } + } + end { + Write-Verbose -Message 'Returning the folder containing the symbolic links to driver files' + return [System.IO.DirectoryInfo]$SymLinksStorage + } +} +Export-ModuleMember -Function 'Get-KernelModeDriversAudit' + +# SIG # Begin signature block +# MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor +# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD8/S/0R4zso40q +# qxSIty+DwrdilPA67ty0zmqe2hEX5qCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj +# b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT +# C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 +# MQswCQYDVQQGEwJVSzEeMBwGA1UEAxMVSG90Q2FrZVggQ29kZSBTaWduaW5nMSMw +# IQYJKoZIhvcNAQkBFhRob3RjYWtleEBvdXRsb29rLmNvbTElMCMGCSqGSIb3DQEJ +# ARYWU3B5bmV0Z2lybEBvdXRsb29rLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP +# ADCCAgoCggIBAKb1BJzTrpu1ERiwr7ivp0UuJ1GmNmmZ65eckLpGSF+2r22+7Tgm +# pEifj9NhPw0X60F9HhdSM+2XeuikmaNMvq8XRDUFoenv9P1ZU1wli5WTKHJ5ayDW +# k2NP22G9IPRnIpizkHkQnCwctx0AFJx1qvvd+EFlG6ihM0fKGG+DwMaFqsKCGh+M +# rb1bKKtY7UEnEVAsVi7KYGkkH+ukhyFUAdUbh/3ZjO0xWPYpkf/1ldvGes6pjK6P +# US2PHbe6ukiupqYYG3I5Ad0e20uQfZbz9vMSTiwslLhmsST0XAesEvi+SJYz2xAQ +# x2O4n/PxMRxZ3m5Q0WQxLTGFGjB2Bl+B+QPBzbpwb9JC77zgA8J2ncP2biEguSRJ +# e56Ezx6YpSoRv4d1jS3tpRL+ZFm8yv6We+hodE++0tLsfpUq42Guy3MrGQ2kTIRo +# 7TGLOLpayR8tYmnF0XEHaBiVl7u/Szr7kmOe/CfRG8IZl6UX+/66OqZeyJ12Q3m2 +# fe7ZWnpWT5sVp2sJmiuGb3atFXBWKcwNumNuy4JecjQE+7NF8rfIv94NxbBV/WSM +# pKf6Yv9OgzkjY1nRdIS1FBHa88RR55+7Ikh4FIGPBTAibiCEJMc79+b8cdsQGOo4 +# ymgbKjGeoRNjtegZ7XE/3TUywBBFMf8NfcjF8REs/HIl7u2RHwRaUTJdAgMBAAGj +# ggJzMIICbzA8BgkrBgEEAYI3FQcELzAtBiUrBgEEAYI3FQiG7sUghM++I4HxhQSF +# hqV1htyhDXuG5sF2wOlDAgFkAgEIMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA4GA1Ud +# DwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYB +# BQUHAwMwHQYDVR0OBBYEFOlnnQDHNUpYoPqECFP6JAqGDFM6MB8GA1UdIwQYMBaA +# FICT0Mhz5MfqMIi7Xax90DRKYJLSMIHUBgNVHR8EgcwwgckwgcaggcOggcCGgb1s +# ZGFwOi8vL0NOPUhPVENBS0VYLUNBLENOPUhvdENha2VYLENOPUNEUCxDTj1QdWJs +# aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u +# LERDPU5vbkV4aXN0ZW50RG9tYWluLERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRp +# b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgccG +# CCsGAQUFBwEBBIG6MIG3MIG0BggrBgEFBQcwAoaBp2xkYXA6Ly8vQ049SE9UQ0FL +# RVgtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp +# Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Tm9uRXhpc3RlbnREb21haW4sREM9Y29t +# P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0 +# aG9yaXR5MA0GCSqGSIb3DQEBDQUAA4ICAQA7JI76Ixy113wNjiJmJmPKfnn7brVI +# IyA3ZudXCheqWTYPyYnwzhCSzKJLejGNAsMlXwoYgXQBBmMiSI4Zv4UhTNc4Umqx +# pZSpqV+3FRFQHOG/X6NMHuFa2z7T2pdj+QJuH5TgPayKAJc+Kbg4C7edL6YoePRu +# HoEhoRffiabEP/yDtZWMa6WFqBsfgiLMlo7DfuhRJ0eRqvJ6+czOVU2bxvESMQVo +# bvFTNDlEcUzBM7QxbnsDyGpoJZTx6M3cUkEazuliPAw3IW1vJn8SR1jFBukKcjWn +# aau+/BE9w77GFz1RbIfH3hJ/CUA0wCavxWcbAHz1YoPTAz6EKjIc5PcHpDO+n8Fh +# t3ULwVjWPMoZzU589IXi+2Ol0IUWAdoQJr/Llhub3SNKZ3LlMUPNt+tXAs/vcUl0 +# 7+Dp5FpUARE2gMYA/XxfU9T6Q3pX3/NRP/ojO9m0JrKv/KMc9sCGmV9sDygCOosU +# 5yGS4Ze/DJw6QR7xT9lMiWsfgL96Qcw4lfu1+5iLr0dnDFsGowGTKPGI0EvzK7H+ +# DuFRg+Fyhn40dOUl8fVDqYHuZJRoWJxCsyobVkrX4rA6xUTswl7xYPYWz88WZDoY +# gI8AwuRkzJyUEA07IYtsbFCYrcUzIHME4uf8jsJhCmb0va1G2WrWuyasv3K/G8Nn +# f60MsDbDH1mLtzGCAxgwggMUAgEBMGYwTzETMBEGCgmSJomT8ixkARkWA2NvbTEi +# MCAGCgmSJomT8ixkARkWEkhPVENBS0VYLUNBLURvbWFpbjEUMBIGA1UEAxMLSE9U +# Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw +# GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC +# NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx +# IgQgontjxlQbDZmplahPYMnCcaVdsRPxbkX6fM0YKC+ssCcwDQYJKoZIhvcNAQEB +# BQAEggIAYyS9pmPhBPiLa8dmuQ1rH8plOvG1VgTuPLnEGmSBynYzA1sZ0BnWrlv6 +# MAnPubstvMqUVyd+TpCb1fdgkK/IsRMrmFc0E3XK4Z3mCPB6uq5E32GRHT6nZCCM +# +v2up+N42eFMTHqvn3SptHsJhyBinAX0kGvrZHFnecOmCTwKrXsSSLuCriswnBZL +# Vb5xHiD5FYvelOVrvlU4vlkAnZ1/BAsuNbIcrR0fMz0Ozbv3e5CNo178oEwd8uKD +# q8+nFctDUboiYHtMy1yNW0j/zpEjTxnZ+RUfwY3PYzpcrmFtH1b+K3lvFIl3RxjS +# rmlWUf+iQt2htLGCEdLvYVDWFxgduM4yVOZxVHyqeqy3/6+0KEJoW9zKBHeFPVYO +# ZuE05xacVjYTWJlhg0JgocqSsp9Y0wMyBm4hg6/I1a6ZoNdv9HIjnCHv8mJ3ursf +# vBWqB/Sc8GIlPdV4f4fMHP5lLF/SfYN42sFbN1z54gDUJWGNA87RFXtSF7dxrYr/ +# 964uBQ2IBoAnFVBrYrEjqXcUhTfctzwMw7zsmbM00FTleEQ9SZJo5qNDMao4KCef +# hmSCazJWuZPbi5aHsquQLjECcEEtBiuloxWU09k9B1StxcnMcCNzZF4QnKCqvvln +# lZID1uc7lpyjyxjVV9FjBQuDriRwI8+8EiU9PIat+hu/bjXqGis= +# SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 index 6dfe9e422..9b678d200 100644 --- a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 +++ b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 @@ -4,7 +4,7 @@ RootModule = 'WDACConfig.psm1' # Version number of this module. - ModuleVersion = '0.3.0' + ModuleVersion = '0.3.1' # Supported PSEditions CompatiblePSEditions = @('Core') @@ -82,7 +82,7 @@ To get help and syntax on PowerShell console, type: '@ # Minimum version of the PowerShell engine required by this module - PowerShellVersion = '7.4.0' + PowerShellVersion = '7.4.1' # Name of the PowerShell host required by this module # PowerShellHostName = '' @@ -202,6 +202,10 @@ To get help and syntax on PowerShell console, type: 'Resources\ArgumentCompleters.ps1' 'Resources\WDAC Policies\DefaultWindows_Enforced_Kernel.xml', 'Resources\WDAC Policies\DefaultWindows_Enforced_Kernel_NoFlights.xml', + 'Resources\User Configurations\Schema.json', + 'Resources\WDAC Policies-Archived\DefaultWindows_Enforced_Kernel.xml' + 'Resources\WDAC Policies-Archived\DefaultWindows_Enforced_Kernel_NoFlights.xml' + 'Resources\WDAC Policies-Archived\Readme.md' 'Shared\Confirm-CertCN.psm1', 'Shared\Get-AuditEventLogsProcessing.psm1', 'Shared\Get-BlockRulesMeta.psm1', @@ -216,7 +220,8 @@ To get help and syntax on PowerShell console, type: 'Shared\Update-self.psm1', 'Shared\Write-ColorfulText.psm1', 'Shared\New-SnapBackGuarantee.psm1', - 'Shared\Compare-SecureString.psm1' + 'Shared\Compare-SecureString.psm1', + 'Shared\Get-KernelModeDriversAudit.psm1' ) # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. diff --git a/WDACConfig/WDACConfig.code-workspace b/WDACConfig/WDACConfig.code-workspace index f731aca63..b2ace5967 100644 --- a/WDACConfig/WDACConfig.code-workspace +++ b/WDACConfig/WDACConfig.code-workspace @@ -131,6 +131,7 @@ "multiplatform", "Namez", "Namezx", + "nclearing", "Netbios", "nobanner", "notcontains", diff --git a/WDACConfig/version.txt b/WDACConfig/version.txt index 9325c3ccd..a2268e2de 100644 --- a/WDACConfig/version.txt +++ b/WDACConfig/version.txt @@ -1 +1 @@ -0.3.0 \ No newline at end of file +0.3.1 \ No newline at end of file diff --git a/Wiki posts/WDACConfig Module Main/New-KernelModeWDACConfig.md b/Wiki posts/WDACConfig Module Main/New-KernelModeWDACConfig.md index ec07bc671..270643a60 100644 --- a/Wiki posts/WDACConfig Module Main/New-KernelModeWDACConfig.md +++ b/Wiki posts/WDACConfig Module Main/New-KernelModeWDACConfig.md @@ -13,19 +13,22 @@ New-KernelModeWDACConfig [-Default] [-PrepMode] [-AuditAndEnforce] [-Deploy] [-E ### How to use -This cmdlet creates a Kernel-mode WDAC policy based on the Default Windows example policy. [You can read more about that process in here.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) +This cmdlet generates a Kernel-mode WDAC policy derived from the Default Windows template policy. [You can learn more about that procedure in here.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) -The default parameter indicates that the Strict Kernel-mode WDAC policy will be deployed with flight root certificates, allowing you to use insider builds of the OS. +The **-Default** parameter signifies that the Strict Kernel-mode WDAC policy will be deployed with flight root certificates, enabling you to utilize insider builds of the OS. -First you need to use the **PrepMode** parameter to deploy the base policy in Audit mode, then reboot your system, after reboot event logs are generated for Kernel-mode drivers that are running but would otherwise get blocked if the policy was not deployed in Audit mode. +Initially, you need to use the **-PrepMode** parameter to deploy the base policy in Audit mode, then restart your system. After restarting, event logs are produced for Kernel-mode drivers that are running but would otherwise be blocked if the policy was not deployed in Audit mode. -
+Subsequently, you need to use the **-AuditAndEnforce** parameter to generate the final base policy. This parameter will: -Now you need to use the **AuditAndEnforce** parameter to create the final base policy. This parameter will scan the event logs, create a supplemental policy for the drivers detected in event logs, merge the supplemental policy with the Strict Kernel-mode base policy and deploy it as a single base policy. **No reboot required after deploying the final enforced mode policy, reboot is only required 1 time, after deploying the Audit mode policy.** +1. Scan all of the event logs that were produced after deploying the audit mode policy on the system +2. Generate a supplemental policy for the drivers detected in event logs +3. Merge the supplemental policy with the Strict Kernel-mode base policy +4. Deploy it as a single base policy, rebootlessly. -Hardware drivers are scanned based on their certificates so they won't require a policy update when they are updated as long as they are still signed with the same certificate. +Hardware drivers are scanned based on their certificates so they will not necessitate a policy update when they are updated as long as they are still signed with the same certificate. -The deployed base policy can have supplemental policies too so if in the future you need to allow more Kernel-mode drivers to run on your system, you can use the following command to automatically create and deploy a Supplemental policy. +The deployed base policy can have supplemental policies too so if in the future you need to allow more Kernel-mode drivers to run on your system, you can use the following command to automatically generate and deploy a Supplemental policy. ```powershell Edit-WDACConfig -AllowNewAppsAuditEvents -SuppPolicyName "Kernel mode drivers for software X" -PolicyPath -Fallbacks None -NoUserPEs -NoScript @@ -39,7 +42,7 @@ Edit-WDACConfig -AllowNewAppsAuditEvents -SuppPolicyName "Kernel mode drivers fo * `-PrepMode`: Deploys the Strict Kernel-mode WDAC policy in Audit mode, preparing the system for an Audit. -* `-AuditAndEnforce`: Audits the system using event logs for any blocked drivers, generates and deploys the final Strict Kernel-mode WDAC policy on the system. +* `-AuditAndEnforce`: Audits the system using event logs for any blocked drivers, generates the final Strict Kernel-mode WDAC policy. * `-EVSigners`: Uses EVSigners policy rule option. If you want to use this parameter, make sure you use it for both PrepMode and AuditAndEnforce parameters. [Read more about EV Signers](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Notes#policies-with-requiredev-signers-rule-option) @@ -64,17 +67,22 @@ New-KernelModeWDACConfig [-NoFlightRoots] [-PrepMode] [-AuditAndEnforce] [-Deplo ### How to use -This cmdlet creates a Kernel-mode WDAC policy based on the Default Windows example policy. [You can read more about that process in here.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) +This cmdlet generates a Kernel-mode WDAC policy derived from the Default Windows template policy. [You can learn more about that procedure in here.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) + +The **-NoFlightRoots** parameter signifies that the Strict Kernel-mode WDAC policy will not be deployed with flight root certificates, disallowing you to use insider builds of the OS. -The NoFlightRoots parameter indicates that the Strict Kernel-mode WDAC policy will not be deployed with flight root certificates, disallowing you to use insider builds of the OS. +Initially, you need to use the **-PrepMode** parameter to deploy the base policy in Audit mode, then restart your system. After restarting, event logs are produced for Kernel-mode drivers that are running but would otherwise be blocked if the policy was not deployed in Audit mode. -First you need to use the **PrepMode** parameter to deploy the base policy in Audit mode, then reboot your system, after reboot event logs are generated for Kernel-mode drivers that are running but would otherwise get blocked if the policy was not deployed in Audit mode. +Subsequently, you need to use the **-AuditAndEnforce** parameter to generate the final base policy. This parameter will: -Now you need to use the **AuditAndEnforce** parameter to create the final base policy. This parameter will scan the event logs, create a supplemental policy for the drivers detected in event logs, merge the supplemental policy with the Strict Kernel-mode base policy and deploy it as a single base policy. **No reboot required after deploying the final enforced mode policy, reboot is only required 1 time, after deploying the Audit mode policy.** +1. Scan all of the event logs that were produced after deploying the audit mode policy on the system +2. Generate a supplemental policy for the drivers detected in event logs +3. Merge the supplemental policy with the Strict Kernel-mode base policy +4. Deploy it as a single base policy, rebootlessly. -Hardware drivers are scanned based on their certificates so they won't require a policy update when they are updated as long as they are still signed with the same certificate. +Hardware drivers are scanned based on their certificates so they will not necessitate a policy update when they are updated as long as they are still signed with the same certificate. -The deployed base policy can have supplemental policies too so if in the future you need to allow more Kernel-mode drivers to run on your system, you can use the following command to automatically create and deploy a Supplemental policy. +The deployed base policy can have supplemental policies too so if in the future you need to allow more Kernel-mode drivers to run on your system, you can use the following command to automatically generate and deploy a Supplemental policy. ```powershell Edit-WDACConfig -AllowNewAppsAuditEvents -SuppPolicyName "Kernel mode drivers for software X" -PolicyPath -Fallbacks None -NoUserPEs -NoScript @@ -88,12 +96,11 @@ Edit-WDACConfig -AllowNewAppsAuditEvents -SuppPolicyName "Kernel mode drivers fo * `-PrepMode`: Deploys the Strict Kernel-mode WDAC policy in Audit mode, preparing the system for an Audit. -* `-AuditAndEnforce`: Audits the system using event logs for any blocked drivers, generates and deploys the final Strict Kernel-mode WDAC policy on the system. +* `-AuditAndEnforce`: Audits the system using event logs for any blocked drivers, generates the final Strict Kernel-mode WDAC policy. * `-EVSigners`: Uses EVSigners policy rule option. If you want to use this parameter, make sure you use it for both PrepMode and AuditAndEnforce parameters. [Read more about EV Signers](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Notes#policies-with-requiredev-signers-rule-option) -* `-Deploy`: Indicates that the policy will be deployed. If you want to deploy the final strict kernel-mode no flight roots base policy Signed, do not use this parameter with `-AuditAndEnforce`. Instead just create the policy and then use [Deploy-SignedWDACConfig](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Deploy-SignedWDACConfig) cmdlet to deploy it. - +* `-Deploy`: Indicates that the policy will be deployed. If you want to deploy the final strict kernel-mode base policy Signed, do not use this parameter with `-AuditAndEnforce`. Instead just create the policy and then use [Deploy-SignedWDACConfig](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Deploy-SignedWDACConfig) cmdlet to deploy it.
horizontal super thin rainbow RGB line @@ -109,15 +116,3 @@ Edit-WDACConfig -AllowNewAppsAuditEvents -SuppPolicyName "Kernel mode drivers fo * **Optional** parameters indicate that they are not required and without using them the module will automatically run with the optimal settings.
- -### During the PrepModes, [the following event log categories](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations) are cleared - -* Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational includes events about Application Control policy activation and the control of executables, dlls, and drivers. - -* Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script includes events about the control of MSI installers, scripts, and COM objects. - -This behavior is required so that the audit phase will have the correct logs to scan and add to the base policy for allow listing. This behavior can be changed/improved in a future module update. - -Before the audit mode phase, make sure you trust all the files and programs installed on your system, otherwise you risk allow listing vulnerable or malicious drivers in your policy. - -