From 521f900286ddefc03b65830587e5afdfd66a16d8 Mon Sep 17 00:00:00 2001 From: Violet Date: Fri, 19 Jan 2024 15:47:07 +0200 Subject: [PATCH 01/19] Module version update --- WDACConfig/WDACConfig Module Files/WDACConfig.psd1 | 2 +- WDACConfig/version.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 index 6dfe9e422..58deff47a 100644 --- a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 +++ b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 @@ -4,7 +4,7 @@ RootModule = 'WDACConfig.psm1' # Version number of this module. - ModuleVersion = '0.3.0' + ModuleVersion = '0.3.1' # Supported PSEditions CompatiblePSEditions = @('Core') diff --git a/WDACConfig/version.txt b/WDACConfig/version.txt index 9325c3ccd..a2268e2de 100644 --- a/WDACConfig/version.txt +++ b/WDACConfig/version.txt @@ -1 +1 @@ -0.3.0 \ No newline at end of file +0.3.1 \ No newline at end of file From bc3a02f145a9899b41e911f4ad339b7ddec3e8c3 Mon Sep 17 00:00:00 2001 From: Violet Date: Fri, 19 Jan 2024 15:47:41 +0200 Subject: [PATCH 02/19] Required PS version update --- WDACConfig/WDACConfig Module Files/WDACConfig.psd1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 index 58deff47a..bbeb2a100 100644 --- a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 +++ b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 @@ -82,7 +82,7 @@ To get help and syntax on PowerShell console, type: '@ # Minimum version of the PowerShell engine required by this module - PowerShellVersion = '7.4.0' + PowerShellVersion = '7.4.1' # Name of the PowerShell host required by this module # PowerShellHostName = '' From 633203150507bc28a5cc05c026ac214f58f24f9b Mon Sep 17 00:00:00 2001 From: Violet Date: Fri, 19 Jan 2024 15:55:32 +0200 Subject: [PATCH 03/19] Improved constant variable creation --- .../WDACConfig Module Files/Preloader.ps1 | 45 +++++++------------ 1 file changed, 16 insertions(+), 29 deletions(-) diff --git a/WDACConfig/WDACConfig Module Files/Preloader.ps1 b/WDACConfig/WDACConfig Module Files/Preloader.ps1 index fb6fad84f..77d1a2b4f 100644 --- a/WDACConfig/WDACConfig Module Files/Preloader.ps1 +++ b/WDACConfig/WDACConfig Module Files/Preloader.ps1 @@ -5,7 +5,7 @@ if (!$IsWindows) { # Specifies that the WDACConfig module requires Administrator privileges #Requires -RunAsAdministrator -# Create tamper resistant global variables (if they don't already exist) +# Create tamper resistant global variables (if they don't already exist) - They are automatically imported in the caller's environment try { if ((Test-Path -Path 'Variable:\MSFTRecommendedBlockRulesURL') -eq $false) { New-Variable -Name 'MSFTRecommendedBlockRulesURL' -Value 'https://raw.githubusercontent.com/MicrosoftDocs/windows-itpro-docs/public/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md' -Option 'Constant' -Scope 'Global' -Description 'User Mode block rules' -Force } if ((Test-Path -Path 'Variable:\MSFTRecommendedDriverBlockRulesURL') -eq $false) { New-Variable -Name 'MSFTRecommendedDriverBlockRulesURL' -Value 'https://raw.githubusercontent.com/MicrosoftDocs/windows-itpro-docs/public/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md' -Option 'Constant' -Scope 'Global' -Description 'Kernel Mode block rules' -Force } @@ -15,25 +15,12 @@ try { if ((Test-Path -Path 'Variable:\OSBuild') -eq $false) { New-Variable -Name 'OSBuild' -Value ([System.Environment]::OSVersion.Version.Build) -Option 'Constant' -Scope 'Script' -Description 'Current OS build version' -Force } if ((Test-Path -Path 'Variable:\UBR') -eq $false) { New-Variable -Name 'UBR' -Value (Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'UBR') -Option 'Constant' -Scope 'Script' -Description 'Update Build Revision (UBR) number' -Force } if ((Test-Path -Path 'Variable:\FullOSBuild') -eq $false) { New-Variable -Name 'FullOSBuild' -Value "$OSBuild.$UBR" -Option 'Constant' -Scope 'Script' -Description 'Create full OS build number as seen in Windows Settings' -Force } + if ((Test-Path -Path 'Variable:\ModuleRootPath') -eq $false) { New-Variable -Name 'ModuleRootPath' -Value ($PSScriptRoot) -Option 'Constant' -Scope 'Global' -Description 'Storing the value of $PSScriptRoot in a global constant variable to allow the internal functions to use it when navigating the module structure' -Force } } catch { Throw [System.InvalidOperationException] 'Could not set the required global variables.' } -# A constant variable that is automatically imported in the caller's environment and used to detect the main module's root directory -# Create it only if it's not already present, helps when user tries to import the same module version over and over again without closing the PowerShell session -try { - Get-Variable -Name 'ModuleRootPath' -ErrorAction Stop | Out-Null -} -catch { - try { - New-Variable -Name 'ModuleRootPath' -Value ($PSScriptRoot) -Option 'Constant' -Scope 'Global' -Description 'Storing the value of $PSScriptRoot in a global constant variable to allow the internal functions to use it when navigating the module structure' -Force - } - catch { - Throw [System.InvalidOperationException] 'Could not set the ModuleRootPath required global variable.' - } -} - # Make sure the current OS build is equal or greater than the required build number if (-NOT ([System.Decimal]$FullOSBuild -ge [System.Decimal]$Requiredbuild)) { Throw [System.PlatformNotSupportedException] "You are not using the latest build of the Windows OS. A minimum build of $Requiredbuild is required but your OS build is $FullOSBuild`nPlease go to Windows Update to install the updates and then try again." @@ -57,8 +44,8 @@ foreach ($File in (Get-ChildItem -Recurse -File -Path $ModuleRootPath -Include ' # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDMg1DbL/rhhOcS -# zQVMaeJj8/hpvVzv0R5WUphR3ksGI6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC+kKF0TrvUydR3 +# RoeBV1rvokHfEf+EaUs3+W4GaAT1Q6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -105,16 +92,16 @@ foreach ($File in (Get-ChildItem -Recurse -File -Path $ModuleRootPath -Include ' # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgUplmeRqAicEvN3LDWbzqAkrsJvqCxayFqgBVpbEfLcUwDQYJKoZIhvcNAQEB -# BQAEggIAYoN0XRAlZ4Xl+7u1/gLwm9vYyn6tNHinAuwbAVwU3Bw8bUw43QjXuoHJ -# 43+Glfq8+Q4pfZlN5t7rZtduVQJW3CnrSKSTtTXOIo+ZiqMbYeM1WaOBhClNma0g -# 3tU8WqSZP7Jhi8u3WhXKCHagou6kTtnyakO9WFGTbt2dvRVbPBHgIwmAjq4hHP33 -# QZvxBAhzzzqug073kEhdULqHXkcbept10CO1HrGZvc4pirMDpdyg93fFGnIJTxcl -# AqxMQRyUIf7wrJCnccQpPUqiYMRHpRCIHDjB2T+5hu0N6nPlNg5c+UBX8m8PMQiQ -# 6uMNybnKOVKfHDG4YHS71MPOOEG13K73aO1tMe4p4NEHwK0cfA2Uuic4QSKU181y -# +l2CQjR99UADY8LBq0Up+tgFZy/qXgPaf36kXlMZkNhr0N6esR/seBQxhgP0h2cG -# 6mHef7X2K+/8Ox7NYd2synLg87JE0vsR+3DKO4p+ySK1dQYI3NCbwkP5piFMrslo -# D81gaUxTqcz87Ud41gBnb8ghANoEf1gBXNwhRk+TeUhC/NC+yff+B/EsuFWha4nM -# 76IthWnFuOWjZb6DpNd0tuKopt3Plt6NiwI+pxsDmsUD480Fpf3iQRoAwAHXsXbw -# 4OWYJXSTqGYd/n5r03KmhKvcR7NeyC/gRuTPXkOe3I0J2QuqZRo= +# IgQgmDpTjxwOYh1M6Y065UoecdVoRJvpEgntMRJmT/plNtYwDQYJKoZIhvcNAQEB +# BQAEggIAU7291Emtgs+t3GrSJWprk+JNz1i4usoWfhjVoPRivTCoU9B6U0m0/Rmh +# qHy+oQASDCG7/X/4ih14mWOGMTn2E7Y8YwX32Va23QQctgnMwiFl69LYqmihIhAx +# 1lcYYkvMujOMOwNF0ixbwpiZ5SbwpcHHl1xpHJYGHDavB690XF46P+pBsAfVxoOP +# cpTM7DTtvyiKFnwH5cbjkalQtARbAY5iwLSdEApsubPA8PPXbnxFHV1MVqrIuSSR +# QoXBDCIL/79eu+BT10v0aElyG9JlLPKmuqq8RObd984Z5EWvoDq6Xmu1peBeYF+M +# /TnL4eDYI1VMSgzIU6oHhCc+7qaK4ivScdxOPYOkVo/9aM1Q17G/FmffIuWEd3Io +# AlcJu1AJA5sn2bx7jkWcEB2YJYbwIjBQ+YFmrJEeaBiW8rvgO/48zWotWrAFWG4p +# iP77twapyCSgt5HpeoSyt3QtWkzbazvy6vESSpFpHOONieBMRitl+7R0pOZQC9M6 +# U/bBs1uzURb+T8ER1RQKrbK6ATc+amPPzomBwt0TKm3XPsd4lIUHhyrOKlWtLeDH +# FEwZlWJpFRFGRwX6NeQpDx6Nl8FtH1EhVuhoMqSraOAhqQ4hbn3l440Dk9iRj1SK +# Ui3JTnsQSqd6doTgxwxtteWeIYql6wRGh+chCyDfEishLVbOxN4= # SIG # End signature block From a9bbe87448618fc0d5ec491c439c06c430f0e5e7 Mon Sep 17 00:00:00 2001 From: Violet Date: Sun, 21 Jan 2024 04:26:34 +0200 Subject: [PATCH 04/19] Improved User config verification with schema Implemented JSON Schema to verify the user configurations --- .../Core/Get-CommonWDACConfig.psm1 | 58 +++++----- .../Core/Remove-CommonWDACConfig.psm1 | 75 +++++++----- .../Core/Set-CommonWDACConfig.psm1 | 83 ++++++++----- .../Resources/User Configurations/Schema.json | 109 ++++++++++++++++++ .../Shared/Confirm-CertCN.psm1 | 30 ++--- .../WDACConfig Module Files/WDACConfig.psd1 | 1 + 6 files changed, 253 insertions(+), 103 deletions(-) create mode 100644 WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json diff --git a/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 index b286d281d..6cf1124aa 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 @@ -14,29 +14,30 @@ Function Get-CommonWDACConfig { begin { # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" - # Importing the required sub-modules - Write-Verbose -Message 'Importing the required sub-modules' - Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Write-ColorfulText.psm1" -Force + + # Assigning the path to the UserConfigurations.json file + [System.IO.FileInfo]$Path = "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" # Create User configuration folder if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\")) { - New-Item -ItemType Directory -Path "$UserAccountDirectoryPath\.WDACConfig\" -Force | Out-Null + if (-NOT (Test-Path -Path (Split-Path -Path $Path -Parent))) { + New-Item -ItemType Directory -Path (Split-Path -Path $Path -Parent) -Force | Out-Null Write-Verbose -Message 'The .WDACConfig folder in the current user folder has been created because it did not exist.' } # Create User configuration file if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json")) { - New-Item -ItemType File -Path "$UserAccountDirectoryPath\.WDACConfig\" -Name 'UserConfigurations.json' -Force | Out-Null - Write-Verbose -Message 'The UserConfigurations.json file in \.WDACConfig\ folder has been created because it did not exist.' + if (-NOT (Test-Path -Path $Path)) { + New-Item -ItemType File -Path (Split-Path -Path $Path -Parent) -Name (Split-Path -Path $Path -Leaf) -Force | Out-Null + Write-Verbose -Message 'The UserConfigurations.json file has been created because it did not exist.' } if ($Open) { - . "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" - break + . $Path + [System.Boolean]$ReturnAndDone = $true + Return } # Display this message if User Configuration file is empty or only has spaces/new lines - if ([System.String]::IsNullOrWhiteSpace((Get-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json"))) { + if ([System.String]::IsNullOrWhiteSpace((Get-Content -Path $Path))) { Write-Verbose -Message 'Your current WDAC User Configurations is empty.' # set a boolean value that returns from the Process and End blocks as well [System.Boolean]$ReturnAndDone = $true @@ -45,7 +46,7 @@ Function Get-CommonWDACConfig { } Write-Verbose -Message 'Reading the current user configurations' - [System.Object[]]$CurrentUserConfigurations = Get-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" + [System.Object[]]$CurrentUserConfigurations = Get-Content -Path $Path -Force # If the file exists but is corrupted and has bad values, rewrite it try { @@ -53,7 +54,7 @@ Function Get-CommonWDACConfig { } catch { Write-Warning -Message 'The UserConfigurations.json was corrupted, clearing it.' - Set-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" -Value '' + Set-Content -Path $Path -Value '' [System.Boolean]$ReturnAndDone = $true # return/exit from the begin block Return @@ -86,8 +87,7 @@ Function Get-CommonWDACConfig { $LastUpdateCheck.IsPresent { return ($CurrentUserConfigurations.LastUpdateCheck ?? $null) } Default { # If no parameter is present - Write-ColorfulText -Color Pink -InputText 'Displaying the User Configurations that have values' - Write-Output -InputObject $CurrentUserConfigurations + Return $CurrentUserConfigurations } } } @@ -135,8 +135,8 @@ Function Get-CommonWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCwf2tydbFonUJA -# TX6XctLTkPUB92871x++AbBMLXzprKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCB8scDw743FvNRg +# SVRHp4ncdlz+d6ZSFYQPG4yW4UyabaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -183,16 +183,16 @@ Function Get-CommonWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgwfpqrpvuYjerMY7ly1lc0evK86y333yWP91S9IsnT2EwDQYJKoZIhvcNAQEB -# BQAEggIAj9gCB8XhPJDoQlg8Ds1RGkuBGVh09AwmFgOaN51I/JF9pf+PN+EGZLLe -# 6c4j8VBomdksxD7LZ1vBn6QZgYQKJ+4dzmtPlEYepXa7204WQVi1qI7QhUcdcf2f -# 9X5FGlBG3xpAWkxpH9XeDh/8AL9hafX+/niVRqAJGJitLq7B2lI3UKHyxVSJilSW -# cHbXT/8dRe9evPRkvBluCk3tFIf90druUDqZObHygwrkWohElIe7eMR/rX8wi/UZ -# Kayzb0r72AWs1hy4WhfEY3u/fIXU8VqxVLt+WGMws+x4qH3ZJkC8pdfV8TPJPi4m -# UjDGruR91Mc6N7PvWZqZRLefDXhBfwNyV76uAoaqUo73bc+4tOHJi86hwd9vxjpf -# SvV0KcCo6TStM7MybPXpMqm3keSgaIhxNm1oUasx7UgN/J9ROWdyDwSQ2mMwwc33 -# aadUe64SalGyz8e5ACBjo+JVErbZ5LjOFCTa69GkNGGZ2De0Bae8BLcSXjpCxQRt -# jOFryDXpGCS64WdBJ+UZGXeJCArat0/jczAWii5Myll6ss2XpcPyZFn+EdHjFEJp -# RSYKxxGfuyTm3w4jrAwUJFaEm0oy4MTLesy+FuE62fMi0vTXRMqCQaavF3fY4tAA -# TuLEX/llPXR71FlmOmQLMFcIxMKq+RGj+ufjSMyDrtELahcW/s0= +# IgQgcci4IleKz9D3ELexV2ZgwFb5q0tPXwCuFH1vh+hl5tQwDQYJKoZIhvcNAQEB +# BQAEggIAmMbSUG2ytAHbCHe9uIBR5mky5S1ZdG75MwMxfoO3Evs0II6Jpr+1nn3h +# p7MWUtvhsVjcipESslErq+KEpBiiPD6JlrCMXspekD7j8Rf4RbGaEdQNu+B8KaN+ +# WPu1rwUJKMIKAkOffk6viq9J4putvXPJz6xv1q+Xn+B9mnq6bLbgQ9oinUexsC4j +# 6bhb3ClU6I1YYD1mRzmAvr8X5NGjFYRwCaAzsG5af3ug8+YVIFUI4Doey+pkYGFK +# HKMTpwh3sKgyB2b+cNKre8IVacP3IaD1DTfx9i1XuvW+uCtIdULAy2Ms3rV0Lj6y +# fIWfNRhLON7+ivwyFZcnQyFY8REJP53CU+o3DkZvS/tntkZSzkm6oLzNiO6xO3M9 +# +64Z10aepoDsD7bKz++KQcmD6RCvf+YizZRRL3TQoaVwi8iZorCwBbkylgh21zMb +# X13T1n0L4gfhr4VV2gC5FzVcG93PXKBK5B05rs7s+u9ancHBW8ZFTR9u2SSLBGO5 +# viSOz/wPQzV5YfWeZFyp/YctJeRPECejwDEArJJpYn3+8wQCnl0mn9Sde5f7mkdA +# JIe056KGigUSad0zU2d+enHvqwgBXU4XPJUe8Bzp54Wg9D0teaJFPkBZvna1FU+U +# M7kF2YNtSdlO4kDIRHe3/Jg+1j6nwJ1vDRJ0lJh4EwSAzi5288A= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 index 5e1cb9c2e..51ee66bf3 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 @@ -14,27 +14,30 @@ Function Remove-CommonWDACConfig { # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" + # Assigning the path to the UserConfigurations.json file + [System.IO.FileInfo]$Path = "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" + # Create User configuration folder if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\")) { - New-Item -ItemType Directory -Path "$UserAccountDirectoryPath\.WDACConfig\" -Force | Out-Null + if (-NOT (Test-Path -Path (Split-Path -Path $Path -Parent))) { + New-Item -ItemType Directory -Path (Split-Path -Path $Path -Parent) -Force | Out-Null Write-Verbose -Message 'The .WDACConfig folder in the current user folder has been created because it did not exist.' } # Create User configuration file if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json")) { - New-Item -ItemType File -Path "$UserAccountDirectoryPath\.WDACConfig\" -Name 'UserConfigurations.json' -Force | Out-Null - Write-Verbose -Message 'The UserConfigurations.json file in \.WDACConfig\ folder has been created because it did not exist.' + if (-NOT (Test-Path -Path $Path)) { + New-Item -ItemType File -Path (Split-Path -Path $Path -Parent) -Name (Split-Path -Path $Path -Leaf) -Force | Out-Null + Write-Verbose -Message 'The UserConfigurations.json file has been created because it did not exist.' } # Delete the entire User Configs if a more specific parameter wasn't used # This method is better than $PSBoundParameters since it also contains common parameters if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck) { - Remove-Item -Path "$UserAccountDirectoryPath\.WDACConfig\" -Recurse -Force + Remove-Item -Path $Path -Recurse -Force Write-Verbose -Message 'User Configurations for WDACConfig module have been deleted.' # set a boolean value that returns from the Process and End blocks as well [System.Boolean]$ReturnAndDone = $true - + # Exit the begin block Return } @@ -49,8 +52,8 @@ Function Remove-CommonWDACConfig { Set-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" -Value '' } - # An object to hold the User configurations - $UserConfigurationsObject = [PSCustomObject]@{ + # A hashtable to hold the User configurations + [System.Collections.Hashtable]$UserConfigurationsObject = @{ SignedPolicyPath = '' UnsignedPolicyPath = '' SignToolCustomPath = '' @@ -62,7 +65,7 @@ Function Remove-CommonWDACConfig { } } process { - + # Exit the process block if ($true -eq $ReturnAndDone) { return } if ($SignedPolicyPath) { @@ -130,12 +133,28 @@ Function Remove-CommonWDACConfig { } } end { - + # Exit the end block if ($true -eq $ReturnAndDone) { return } - # Update the User Configurations file - Write-Verbose -Message 'Saving the changes' - $UserConfigurationsObject | ConvertTo-Json | Set-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" + $UserConfigurationsJSON = $UserConfigurationsObject | ConvertTo-Json + + try { + Write-Verbose -Message 'Validating the JSON against the schema' + [System.Boolean]$IsValid = Test-Json -Json $UserConfigurationsJSON -SchemaFile "$ModuleRootPath\Resources\User Configurations\Schema.json" + } + catch { + Write-Warning -Message "$_`nclearing it." + Set-Content -Path $Path -Value '' -Force + } + + if ($IsValid) { + # Update the User Configurations file + Write-Verbose -Message 'Saving the changes' + $UserConfigurationsJSON | Set-Content -Path $Path -Force + } + else { + Throw 'The User Configurations file is not valid.' + } } <# .SYNOPSIS @@ -180,8 +199,8 @@ Function Remove-CommonWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDUXIFN1xFceXUU -# qqIqj2EMWrByQtjg/BBD/HtYor8nlaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBwnQ3yYWMpbARb +# NpQTlcyW/3/sV8n4brBCREzm+wwO5qCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -228,16 +247,16 @@ Function Remove-CommonWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgylwQco/g2hTi3QkAmWwifX9V6O/h65vusvxiZ2XEIKwwDQYJKoZIhvcNAQEB -# BQAEggIAcDPMXUWowHy+MDkLLcOPl51H3cyqObTtta/fpfdRt2FTAEQDygjSusD8 -# D/Z3IKch1dmv1IbnRHHxPSFILsnuKbVbifk6pnfUAvXF5OZOM1+MlpHoDhJFrdkD -# 84MGD4zzKLJFY2kXKj/qo+sj8zPwONK5+d44VTGKLVt8ySGGad/ikWlOSg6OJwIl -# 342v8WmFOglxE3grkdzR7jIn6jTm5xMevKA+c8DdV8nPQiDrmdB9JY++Xp0udO7r -# MIljnY64F0qPQsg/mhh8RnIYbQY9YER/5V3Rjzq/LfHmrqemdYR9sUrUO2ihVuCC -# G55Hwu4ucJAnvRlZBQXO9zGUCzPCyIKP1JV05xPVWpqzltP6kYkLsvIWhO2UznPh -# RsUSDyna8DeQ9T6YaxpDlsTWUYGSj4I1wrwFai0j93wAgPZ2imqFRtDqYb/+CIPO -# yx7j3SkuMfkJmXsnqbSOIIeagtgv3IeVQoDKHGJCnTwSsszKuWA4Vj1GdLMTusat -# sxWoFL1gHDtd9JDabDcwVQwyisdVbIWpdtq4TnYh+aK/Y6G3rsa5YCc2QitjF0cW -# 1wbSP+w/efYPWzjPgsHumki7GM+zuU75Md8SSBy9sk5AxK+gW1q1ietUfVvqbpmg -# FbTVmZIj9Gbny/UeGagoGmqxOoECreOuY0n7xJUBK65ByssGRrk= +# IgQgEeoKBSE2p8Y0fmYtNTmD5YI8QU4I4klh9h3KDoRmBNIwDQYJKoZIhvcNAQEB +# BQAEggIAM24PfG5z2FMk7JTbNl0g9PFaDDJBtd2JaZETVTww9ITuHeprHiVqA88t +# wgKsIchLxzrg6xuiiJOPhSOrEiJ72M1e62+X565hL85fEwePLpVfQeqDAyuDHLvC +# S1gzcQa+R3tK6U3IxRJSDF8cwQg+6Pxzz21LZcGw/YNXrV0h0KS+S+jn98/RQU3J +# mkRCRW747jDjZZqs+ZAdBq5+FdhNk0IWN1EDYF/7ge6rnmT4OXetgsNZA0x09uhx +# KEqjVqI6rA1TmjIwXoudYfd8jeXP7x7wPvVZxeJZQqm5yW3RHDy5TY914lU7vafN +# +C7g9nP0yZgf2qJ9c7a1wSVo61zekSpVPJbR5g7TaxHoBcv8kDrxDnlP+bM7PHQ7 +# Mc554EIrdbGTx5AwPHzc/tcC01BPfgtGx0v2+NQr92j5DodptYEXdO/LsQn7+pQg +# yBJEFNNTtRNwxPMQd7hiP7nZkoXsQR3QCAOz2m61K9JP/kodNd2FK9QRgYbRjqet +# 84GtAjF9sFkDONkD/kXAeARVAWFPvRaYEP8SYDxp5ed5CQ/QiHcrWu46dOxfchHf +# Z9Jmkmlgw0sfszsPwl6lCuhqK+lJXNsAG3jcadHgzFzwRiDCEe7/Wzrg+nIqF62m +# ApHagvLwZHnYPfjIK3ISUDEQBLJM0DfbKE9+W/fk4gPnba0rWoE= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 index 1b2406113..2233e9165 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 @@ -101,25 +101,28 @@ Function Set-CommonWDACConfig { # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" + if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck) { + Throw [System.ArgumentException] 'No parameter was selected.' + } + + # Assigning the path to the UserConfigurations.json file + [System.IO.FileInfo]$Path = "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" + # Create User configuration folder if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\")) { - New-Item -ItemType Directory -Path "$UserAccountDirectoryPath\.WDACConfig\" -Force | Out-Null + if (-NOT (Test-Path -Path (Split-Path -Path $Path -Parent))) { + New-Item -ItemType Directory -Path (Split-Path -Path $Path -Parent) -Force | Out-Null Write-Verbose -Message 'The .WDACConfig folder in the current user folder has been created because it did not exist.' } # Create User configuration file if it doesn't already exist - if (-NOT (Test-Path -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json")) { - New-Item -ItemType File -Path "$UserAccountDirectoryPath\.WDACConfig\" -Name 'UserConfigurations.json' -Force | Out-Null - Write-Verbose -Message 'The UserConfigurations.json file in \.WDACConfig\ folder has been created because it did not exist.' - } - - if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck) { - Throw [System.ArgumentException] 'No parameter was selected.' + if (-NOT (Test-Path -Path $Path)) { + New-Item -ItemType File -Path (Split-Path -Path $Path -Parent) -Name (Split-Path -Path $Path -Leaf) -Force | Out-Null + Write-Verbose -Message 'The UserConfigurations.json file has been created because it did not exist.' } # Trying to read the current user configurations Write-Verbose -Message 'Trying to read the current user configurations' - [System.Object[]]$CurrentUserConfigurations = Get-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" + [System.Object[]]$CurrentUserConfigurations = Get-Content -Path $Path # If the file exists but is corrupted and has bad values, rewrite it try { @@ -127,11 +130,11 @@ Function Set-CommonWDACConfig { } catch { Write-Verbose -Message 'The user configurations file exists but is corrupted and has bad values, rewriting it' - Set-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" -Value '' + Set-Content -Path $Path -Value '' } - # An object to hold the User configurations - $UserConfigurationsObject = [PSCustomObject]@{ + # A hashtable to hold the User configurations + [System.Collections.Hashtable]$UserConfigurationsObject = @{ SignedPolicyPath = '' UnsignedPolicyPath = '' SignToolCustomPath = '' @@ -219,11 +222,29 @@ Function Set-CommonWDACConfig { } } end { - # Update the User Configurations file - Write-Verbose -Message 'Saving the changes' - $UserConfigurationsObject | ConvertTo-Json | Set-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" - Get-Content -Path "$UserAccountDirectoryPath\.WDACConfig\UserConfigurations.json" | ConvertFrom-Json | Format-List -Property * + $UserConfigurationsJSON = $UserConfigurationsObject | ConvertTo-Json + + try { + Write-Verbose -Message 'Validating the JSON against the schema' + [System.Boolean]$IsValid = Test-Json -Json $UserConfigurationsJSON -SchemaFile "$ModuleRootPath\Resources\User Configurations\Schema.json" + } + catch { + Write-Warning -Message "$_`nclearing it." + Set-Content -Path $Path -Value '' -Force + } + + if ($IsValid) { + # Update the User Configurations file + Write-Verbose -Message 'Saving the changes' + $UserConfigurationsJSON | Set-Content -Path $Path -Force + + # Display the updated User Configurations + $UserConfigurationsObject + } + else { + Throw 'The User Configurations file is not valid.' + } } <# .SYNOPSIS @@ -280,8 +301,8 @@ Register-ArgumentCompleter -CommandName 'Set-CommonWDACConfig' -ParameterName 'U # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDw9TYS/Hu6MPJP -# he3QlRy8osjynqdtAN8BLpePx0Q5OKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCbaTPxut07ludE +# hgrb6S0viAn6W5D1ZfiVKbk4EDmOKaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -328,16 +349,16 @@ Register-ArgumentCompleter -CommandName 'Set-CommonWDACConfig' -ParameterName 'U # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgZzRHhPBnvd5AMtuJem31TZ4G+oQ6Tmj3Qw5seIqiCtAwDQYJKoZIhvcNAQEB -# BQAEggIAg7bHth51OPRwsf/zlmiJOn4ikUNWmq2mislZ+GJUQ1kXn2usoLHjDA2Y -# r/ouC4WqVvWUgs6aN7KWNaY7239ZMEgLTGDMpTkdF7TcI+VsdokbFhjCKtPA49cd -# w1Uu+cSQvspCROWWiyoNqdk3sJTYaOOvkCP5/2fP9Fqz/Z6KFpUZWRatx1X7RT0o -# kiHNW7Vef9PIK84HfF3/S7fYEt2v1/WqiDAxuTWgAByZQqz5iMrLb6Bxd9eXDKn3 -# cj7/a7OdpDSTn51EYDQWZdNCm7Z4AqxJl2OACc0YKmDKT+cxpF6z0fVDlrBeGbWc -# ZC1nUHgypjLdAU2oETI8YPl/VMic3jozKV+9sF9A7+Z+CkQXpNxCLz7fgV87bTb1 -# ZKx//CMRXo/SaRmSYI9IoXV8hSK/Pjxc4gmZ8LeRFWkyPyRXJfi3V3YNWk7zb83f -# dLMTbsq7narzX86DPQ5lFBqleCr4tO7xaxclhfAxJyAwCNCSRJmx50cJvoHE3Cgt -# +sVLlegzr7SW7ZAb2R58GfwNG20eurmXKJQQ86Ef+VHcCV7fI96a9zYDV3x1RBuO -# f/wdvb4HoeZOixM54OtsPWQrUkTMPFjoLWwcNq8aqkNPCKqHyNLC2D2C3UBZS4uV -# XP2y5JRUeEJKfvD29whNXeLHUZ+k+2+9K+J4ahRwj3qVVy+uv/Y= +# IgQg2M1oZxW8hdN+8+5K5mo9J5aaTDn6V3NZVFUm7KhICAUwDQYJKoZIhvcNAQEB +# BQAEggIAJD+3rY25bsXsVcO6clUJiXMejCSQcVH/pZHc+4alDynKhOySVBfW40pI +# iwVX5d2MWQW0HTD6hrL9stlLVOtZFP1fWg5lrBzF+5+Ate0zIKerY9e8kGmZq5KG +# ZiqUS643LJWJxd6hWbAcE9M/rfBxHSke7gQ3iH12QjoMtUPFIqNubKJdndWBu/Y2 +# l0+aB+6n88d9ZDn903D6DZsmDQJSneLMiAlH37x8MXVDGQJs18GP6G9w0nP/VOjN +# qBxQDPSOGZ1QPqzp5psbl7MiHjQCxPlub9+gZA50tO8NsXeD6zcVXtcNBCIfRcx4 +# /bMRDDbwrSjPuOj7fN3hH3R+f46BWmd6rNJSDCsPugVPQ6evrrPuB9GtyXyBa1/E +# yB22/ztpmWkVG1fJ6fnfAelxNr4DD+VghX1icD7Eb1aQD0tc8Oakn3WB/ed5zTwz +# PPbsKxqyCu5KWyJTGH8uhd+8Vx8VkCiMPsdY0CJ7Bya+CkasZHzml/VoIfq2qDoz +# Vt/vVqG0k2iY4CNA7qUj/JIf4lwpTfpvbN4IX7Fvrv93RPcMVPtLxZtwlmLXGSj5 +# 8+/6H3xYXZfi58sBUUPEQP5dEZynBYPPpB3oLgH8AHq7ypf/TAyY1syEsT/5RuV6 +# aiBmcHz5VkelhHshzHnjTRVS++dJLp58P6oPgKAd8b9GCxhj67k= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json b/WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json new file mode 100644 index 000000000..99cd41573 --- /dev/null +++ b/WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json @@ -0,0 +1,109 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "type": "object", + "title": "WDACConfig User Configurations", + "description": "WDACConfig User Configurations", + "maxProperties": 8, + "minProperties": 8, + "required": [ + "SignedPolicyPath", + "UnsignedPolicyPath", + "SignToolCustomPath", + "CertificateCommonName", + "CertificatePath", + "StrictKernelPolicyGUID", + "StrictKernelNoFlightRootsPolicyGUID", + "LastUpdateCheck" + ], + "properties": { + "SignedPolicyPath": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The SignedPolicyPath Schema", + "examples": [ + "C:\\Signed Policy.xml" + ] + }, + "UnsignedPolicyPath": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The UnsignedPolicyPath Schema", + "examples": [ + "C:\\UnsignedPolicy.xml" + ] + }, + "SignToolCustomPath": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The SignToolCustomPath Schema", + "examples": [ + "C:\\signtool.exe" + ] + }, + "CertificateCommonName": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The CertificateCommonName Schema", + "examples": [ + "HotCakeX Code Signing" + ] + }, + "CertificatePath": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The CertificatePath Schema", + "examples": [ + "C:\\Code Signing Certificate.cer" + ] + }, + "StrictKernelPolicyGUID": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The StrictKernelPolicyGUID Schema", + "examples": [ + "7866e1e2-52e2-4902-a630-3e9473ed07a0" + ] + }, + "StrictKernelNoFlightRootsPolicyGUID": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The StrictKernelNoFlightRootsPolicyGUID Schema", + "examples": [ + "6be72abf-b1c0-4246-95a7-d7c2c2f44a3a" + ] + }, + "LastUpdateCheck": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The LastUpdateCheck Schema", + "examples": [ + "2024-01-15T09:11:11.6918283+02:00" + ] + } + } +} \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Shared/Confirm-CertCN.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Confirm-CertCN.psm1 index eaf6c2824..47ccd4f7e 100644 --- a/WDACConfig/WDACConfig Module Files/Shared/Confirm-CertCN.psm1 +++ b/WDACConfig/WDACConfig Module Files/Shared/Confirm-CertCN.psm1 @@ -1,7 +1,7 @@ Function Confirm-CertCN { <# .SYNOPSIS - Function to check Certificate Common name - used mostly to validate values in UserConfigurations.json + Function to check Certificate Common name - used mostly to validate values in the user configurations file .PARAMETER CN Common name of the certificate to check .INPUTS @@ -60,8 +60,8 @@ Export-ModuleMember -Function 'Confirm-CertCN' # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA7dZCJ2D4iMY7g -# sCB59Fa1mpK7qIMs2Q9coo3Ocbob4KCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCClTKhPScy+GGSv +# NtwnVnmFlV3FVKWW9WN2FKupDCLKqKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -108,16 +108,16 @@ Export-ModuleMember -Function 'Confirm-CertCN' # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQg6bWHvT7HswyOrHK1Hq6QNsgSUIB55mvFkN8CmXL5fckwDQYJKoZIhvcNAQEB -# BQAEggIAM3a3PngWd1xsi5JnJT/dMiOZFsR8c0NnZtglxYip2HtdbJ9jyyVzq9Im -# 4Pq3TGmrwacPYw84JlpzQl4MSdhqmMaaCZVl4skIHRIjPcq3iu+E6eaL4+H7D1Cl -# aiqlmH3E1iRTXE+I53vEiMDspZcLeHKoXkZCFhHc7adJwThZ1c2TLxHzb+lubvp8 -# gC7DIe5DZpky1gMpzwMTZY9/i/LrQq2OjpSLM+WnxEpSHi6EcrSEJfHrRt7HeMxd -# oDbnVQ1aHdWrFq7+Dc4kMfjf1YplFd6od171V2GQeiErTYtj5TnjjC8tD/xLQKxf -# rbDL9c3bxMK69vmRqujv5uTpHkbGcoZZ3YD65noE86lG0F5mMBxqBxn0Za0BKrD+ -# Tp2dWtSM0a1Y0uP+gyl2POV+m+M7aAzaxAJkFNrpwkHzNxmokIF7PpjC/9DwSR/X -# ITIEi03vN4CYDK2GTMG/DvI3K2qri6eZcOjQLLed3NaLVJ9ZE+py8fybdpVJJcSq -# 3tToF/gxhael3xxKDgvRl2M0Ad50vq+urGKBJE60nFVo6jHrmpgLWE+uNEnLzU7m -# 1J45uVNlvuM74oxI2FuDpfsBP6F/iqkvSD4kIYzmZJHVcs7m1yj91XCtB/sp4wZ/ -# XXIVoePfHa9awwwtMcL5+Sp4KhIzXG2jjmH+9JsnKMWGS8DqC5o= +# IgQgc9KQVhwhfZXgWNTOfa8zpVueoy8MvnR6xvrPPPgz6JkwDQYJKoZIhvcNAQEB +# BQAEggIANti5xjvZWp6YgeOJhJzLin5JnkPq/7n0HYfP3GF19+HmDO0BZ+Yp3beq +# Q6CtOWPjI4IibztgvdldS3/4NCK5WEbXedkd3VHsICcd3DlnfSxB2F35f7WB4QfX +# j21DgYgJNzs8Gtc2TAoWSW0M0eAM+5m2olEAiNJ0TVTa59/VpdWeugF6yrLuBk2H +# 5RMhrX6WRYgN3aeNg1FTjmbXYwkyzzhQWpuO6PIsTcMx1dywvMWQ4QFXq3GVpiFc +# tcX7azsmqij8V46K1IG7aLULMUzBafYUnosv6c2jzbuolgaw5Q7smdpCMUt5TySr +# hW0136C3aHMw0SSnrA5TkAA8Ik8+e3jco8ufj3RnU9HDuUCGuByKNwDE+LPUnh2J +# y5JEtUF928YqzdyYGykeNAxwRbC0zPCMt4NSZ/c0NE2O6Tw/oz8Fvb/lN5yiscqp +# 9qhsUPIVbxuxFPp+MON5UVz+OQCX0Wgf8V+ocn5V/CWSPzm1LWzY2oa8ydeftZwf +# 6Z3/0NKbx1LrD85Ly/nYhxZlaSmpfSQ7tuGCRBWUdSyhEHp9ytZslJt5CXyySxP5 +# Hi1FHGu5Af0qyNecV6X25/7oMiGPQ6+XWYkuyVOrxl6xhRu84A9IPCFKLy4EAi92 +# 20IYwkNPlPV5LYTy/+iCYMwS8uDxBiL9TwBO0RKemUVmy4xi+O4= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 index bbeb2a100..98f6b91f9 100644 --- a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 +++ b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 @@ -202,6 +202,7 @@ To get help and syntax on PowerShell console, type: 'Resources\ArgumentCompleters.ps1' 'Resources\WDAC Policies\DefaultWindows_Enforced_Kernel.xml', 'Resources\WDAC Policies\DefaultWindows_Enforced_Kernel_NoFlights.xml', + 'Resources\User Configurations\Schema.json', 'Shared\Confirm-CertCN.psm1', 'Shared\Get-AuditEventLogsProcessing.psm1', 'Shared\Get-BlockRulesMeta.psm1', From f7ba0983bb3fa341b4527647aa3305fc2f7b6dac Mon Sep 17 00:00:00 2001 From: Violet Date: Sun, 21 Jan 2024 04:29:24 +0200 Subject: [PATCH 05/19] Added named parameters to some cmdlets --- .../Core/Build-WDACCertificate.psm1 | 30 +++++++++---------- .../Core/Deploy-SignedWDACConfig.psm1 | 30 +++++++++---------- .../Core/Edit-SignedWDACConfig.psm1 | 30 +++++++++---------- .../Core/Remove-WDACConfig.psm1 | 30 +++++++++---------- .../Core/Set-CommonWDACConfig.psm1 | 30 +++++++++---------- 5 files changed, 75 insertions(+), 75 deletions(-) diff --git a/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 b/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 index fe6a240c4..d81ff3744 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 @@ -248,7 +248,7 @@ ValidityPeriod = Years Get the value of the Application Policies extension - ($NewCertificate.Extensions | Where-Object { $_.oid.FriendlyName -eq 'Application Policies' }).Format($false) + ($NewCertificate.Extensions | Where-Object -FilterScript { $_.oid.FriendlyName -eq 'Application Policies' }).Format($false) Use certutil -dump -v '.\codesign.cer' to view the certificate properties, such as encoding of the certificate fields like the subject @@ -287,8 +287,8 @@ ValidityPeriod = Years # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD0Pmkq2Dq/eTYD -# mUBJIrmyEJrkfd8ABk8OVSleUNsFkaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAefmwKXp6aQDQ5 +# GyFzyXuqW+XjwXh/WyLmKL17F3+8XaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -335,16 +335,16 @@ ValidityPeriod = Years # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgyfG38dOJWH9RmcRqEoNo3WCjFPdQpeWfatq776M1gyAwDQYJKoZIhvcNAQEB -# BQAEggIASG9efEq01lcnAWImVCRosVR/5LPE1rDPd+3fszzL8pD+7bBRQZi+T57u -# UquSpx0XtyOd1jhyKErnTvWVyrSIPbyVmqBSjLIVZdCPsDpbuGiQnW4TCfcv9YsB -# vminrSw2dFTQm8Lyo9VOhstZc9e5Pqa4ajViLUrrX/UMf13hJzDigvse28/VWA6O -# euKGkz+Q9MX+b+S7R/QDrINDzE5D4kVFUA0mxLunb3ATGvpBMDpFE0hGkvNiFm8E -# qAA0MuvdbULJpY8CuvmD/Jj7zfciPSNMlXbhNoQQ7ROrRIG1kD35/bw6ZBFpukrC -# +n+dH/tW61ljk8aWYKdMsVzohlocq+kNvQBBvs5AVmXha1Z6dj3fQJnY2NdE8s0l -# 1rGu7lfQFReqyd5ywwMe2xSjiaZ4/C//XHEF+yjhQxvaOcUXgcQKvV2xXN+hyIOZ -# +BPgnn2bubfhW2RlnmmD+8HCTUAflmt5YbEERchgMZY0DE2blzW5y8V3eYTNzG8P -# qQfwHkGmBCqY4eDsNALlIcCwIJieNXoeqIVFlU461wrqUSz2/vKd59seXF+ANVgi -# 03WZoHXvyQYVG88+l9FTjuDEvoxs49NkjjzKrqyv1fcES7Cs/23kOhPfzy/hZZPD -# i5oc6guG8v99WHRHbYdMc+i3v+sjCH5EJTpoGmk2Gb6FcuPV7U8= +# IgQg1QqulqQXJmWru2WYLdhSLnMsmo+z8jsS9JS+BSTkpCUwDQYJKoZIhvcNAQEB +# BQAEggIACx8pJxohFRFy51ygAYNCOqVihr4lO914ahXPAJFPBr10PaqXgEDyK4E2 +# KqFgcmtLEf2q7Mn02Hr8lP6azt49Lt1w4zbYvXW+HUeBKJKa6p8M+EhUH/+EGvlE +# 4xUKr7oIjNa3KLsM1bAIsLLjYPErMWP6XDrzu8/9K+JviDUuvzboL4+y2tmAEpFH +# G5yo5L5rAVruzTZsxWse7eQXpFgLDTpaGoBc+gtc9g+nBt3xNdijA76pvshCtv7q +# wLTpQohxxLG19tQqOqNJbHtaE98sDE9xIbJGV1rDN3ETdyhIVqrmizurWUUIA/1N +# HBWcVWt5YOpwsBvV9CEnvkpogBVmp6sbRO4ETNv1AyIGYF/neYX4U6tLgYr6tF5Q +# we9fVXf565c1uve839c9gZgUvGEHy/a4Fv7vLf+nfGMsctTDUQjaluVxUdo4WxRk +# S9rDeWZZt2MYvpor6mBAN9sGEnCtComlCN1nUQXMraMlOwO3ENCy7qNXivBCtzMd +# Y+lKPFU1GpUFbfrItztenBm9pexqZimAW+HXCvZSKJUMa8E4bqj4yWiBi2HJFeOE +# ovM5ran4X0RPrjnm9/A3FYy3vXbQKC43bGUZGM39Myjv63tA6/lxHXZOTLbyeuhN +# oiMSrXYCfxZ6IDJRnH56cztOX2Rbo7/IV5k3i0Wl/ZEQhg12IQQ= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 index 12f1ae2bc..9e57e00f8 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 @@ -45,7 +45,7 @@ Function Deploy-SignedWDACConfig { } # Count the number of duplicate CNs in the output array - [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object { $_ -eq $InputCN }).Count + [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object -FilterScript { $_ -eq $InputCN }).Count # If the certificate with the provided common name exists in the personal store of the user certificates if ($Output -contains $_) { @@ -325,8 +325,8 @@ Register-ArgumentCompleter -CommandName 'Deploy-SignedWDACConfig' -ParameterName # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD9zseRSedgvEH/ -# UmdR8mMCozbNr5swsYhfIbgKI2SACKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAnRwDvigOya6Sj +# l2hIoqVyfOcnyR6nt70Hk73zv/QukKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -373,16 +373,16 @@ Register-ArgumentCompleter -CommandName 'Deploy-SignedWDACConfig' -ParameterName # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQg5WiETJONw1G0NqOHUdYMKymFHXSous2MRSuw7UicVzMwDQYJKoZIhvcNAQEB -# BQAEggIAVm5+YhMxTotLMOqvHaMODj0JyAm418qIJIwMO0NaplA6JFTuVM4qwGM5 -# vLAMy8ojlEQZnnOo5ieGaCHi3N8+lbL/opd159/+lOHDq57uVrJoxUT3VkuEXYKB -# cvzx+qTe9UQnh3C8VQ9TiLAcD3nictP79NPR3B0Dhsb7a8PeKJ4NRWfb+aPbucAa -# NPzsaF6rXUOyIsWMoeOIt0AGg3FXuwslQhnBLTf5TnD//INC5WB2fHY93I2EO7ME -# 664G9ygjY/2MuPVFW5wYe05vgqBXKkyB7dV4LzkA/U0avyEOlIuMMqqWOUKZ3yLU -# kZZ00Op6UkXW1EO4GKiMjOk7FyuD1/48/fPxozfrXb6nZrJ4fVLqQh+GeaK351jl -# 0psap4rV/xo5imGA+o5RWP96ykDkoZoMA4QYw1yoChG1qbiz7mwbY6pyG4Lkuw99 -# gasRVqFAazrE70N1IaPfKftkvtMeOR+WUrAEBdI5VuKR6scEPRZM/3mc1dhqE88i -# 6lp1Zi+TJrVPAbPihGXwMiIvcXSH9QoF2qJ5acFIIzsqLSRn9HyoYhYiP4gTn8Jm -# qZUyEdV3e6mH1A3rBqNxlFdXkmCGDJkmFoLl9pGAatvIIYtacOCdnBRg3E2t5VlK -# /mlgVwDOmnno7gZ90CPZjmVvTeOrayUfpqO3FKRWVvaqZ6HWlc4= +# IgQgFZecwVpcHmdKO1YFkbSeCvzEm9Mb7EB+M27hBmiHkuIwDQYJKoZIhvcNAQEB +# BQAEggIAc3Hmq3D+n+5akVGKDhi0Rnn0emGfUhUw/yDDiGUN/ndan4AsNnWe1QPT +# w4dkRZXgV6/bfp5ak4wr3JcixOM0oxQFutFKvYGIdP4Kv4zoDUnqN+dSm1wf6XG+ +# OvNzEtvgULzkJvfmtWS3sS5Rz9tevMw/t+oCROOUMA6xAcVSiVbPiVA27INWR5jC +# bl2LXbwWX0tbbMIfjPEOcjq8CgpqW0K65dIYE9cNhUCjy0mZRb12Fp7krtvJejgy +# TegxreANnHPJNjyxivdw56lGrk6rL/qLgtE/dK4sH+SAXHAZmCYdlm1k0TPfJ4Dt +# 3JM5zkvVWFcs9rmO7yCyBg+s6qmZmd2Qtio8lzxjefe/a+mIzT08k0vzVOZ0kN9y +# s1VslYBOQmFnTjc3hLc4mU4zfcvrCrOM+BLx64twanadX9f4WCW4cL+cFlRbwJ8j +# LvL8O43QZYQj2svboUZiG5QQ5cu28x17+K9CCpqw+UaiI7n/78xvUzu5gP1bct1k +# UI81Dcf+IdUu4l++jEyB9BYIu39+kgtOJP6y/DdVGYyd02kOzU2wnOOzhcxGUj/O +# O6i5bkW6hTKlZSBsC9PCGItUmcsXM7Bzlyjrlcrth1fRGvmoXGXfaAgwa3Oqd+S3 +# xZBtIwGbi22EbbearPIUyovC+ryaqtTy0iHmWtuUqfJHF9wGXD0= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 index 6a2218629..ce83ff849 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 @@ -97,7 +97,7 @@ Function Edit-SignedWDACConfig { } # Count the number of duplicate CNs in the output array - [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object { $_ -eq $InputCN }).Count + [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object -FilterScript { $_ -eq $InputCN }).Count # If the certificate with the provided common name exists in the personal store of the user certificates if ($Output -contains $_) { @@ -1415,8 +1415,8 @@ Register-ArgumentCompleter -CommandName 'Edit-SignedWDACConfig' -ParameterName ' # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBsX+jTe9aAPugV -# jQ6GYpMvRzxNBuhyHKpy2hxNgtCzbKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCNeRmZQKTwdUTA +# HvqKj9CxQKzjxQHJh2HG1KWrDx5zLKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -1463,16 +1463,16 @@ Register-ArgumentCompleter -CommandName 'Edit-SignedWDACConfig' -ParameterName ' # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgKSjD2MW2Gb5VusOhuhtXcMx5q1Jfedkgq0K6OO4mH4EwDQYJKoZIhvcNAQEB -# BQAEggIAnVNbQnr0v4dETHPzy5V27hR0HrrzHdQEbijkwwad8kZ+Tv9Z0+fUZH4l -# pLdNo+Fg6h/DgCk2BMhEz84OECX7sa89glm3nIpZRSP55iK4M1unb3OR9/BUhgzT -# nYMENSDAylMF5tc+nQ8F/syPCvcF80rvXm80SYf+WCvVo2QlDFUxqWI/wFngEoZ8 -# 76i1PhtJrs6j5YTeZ+9D9SlVCvCWDCxqeiKogbKXneEsv9x2l0LJMDa4PffoPHE+ -# zH2umg2LQFdzD7w08VWSRvmWJaK+nG6HNxTfAkn5rE6zP5au46756u2IDNmPT/bW -# jmoxpnF9diaecWJrc+83XWS3CizA4dZDosIb+L6u3k/SXBEIZwiPXdhIAyw3iG1l -# HvSaIzafred6wyB+UeMELWk4N5QryN29Cu/LEzE0/LMzr5kI3IQFwjlO1T+Pdpxi -# MY5yhyS3BNjkGV14og98gxIU8UC0L28H9WV63doWpEjMqakaxyMUbapNM1upaC10 -# fC6PiyHWPn+v1r4dIzhqJLx6dDFZg2pWaGtFuFfLSZP9rrbtTWivNwAzn5c2AJfM -# zTAg3XIfdYIn1NnDonV6sXjmijXhHf5Y6ONy24Aldo503/56RB6X7EBmPp9dydlJ -# zTgrHgpuk0mc73TUreobqL/3s9XUWEvh00AwOgc4g/MYDO+qxc4= +# IgQgI90KwbePyo0nx7GnFzFujax0MrUWhbn3N7dTT8zJJfUwDQYJKoZIhvcNAQEB +# BQAEggIAXMq/ceUUilX7w4E1YVjtVfMtCYcqER6N8rQkwKjaUAM+frW1v4xOqKfq +# lrZrn0yjtRZCq5gsVPL9fLBAa4dzCSkfPG95X1zNQhoyAL7D9qfPlNI7QgebAZJH +# i4e6Dc+O4/a92ASefmDOA++8n8LzPEdXiM/GMtpdIvTQNdodcOPLhXci5ebfk2C1 +# gilz3pDPeMZkC8hO6Nr85T/7I/BXDN2eYfvd8jeos+wta/XLbmmeWGtv7CugV/2u +# d5KzhHbgCs6yzVuvLonHd8AO3gZ4RHn70sPSp3FpEVPMESR7aJbxjnMrNrn6JraL +# +uGHXEbkiHlmqH/c6mgBetWjxdCCQY2mXzmrP6xA0WI4ZL5OZA+bNFp068giqouj +# f5XIqpqa5BdHZEcdM8kfiFOcF2i3MmLwdXZMPBdO8/Kldhk9hwVyN1rI52JFgjEg +# kgylNJKuEvph9OopOGg32rfq1BmfbNwRhYuyKw/eyMFw+HkDeIs3ODcHLZ8GNcG/ +# vMd/bRUZgDMrMwtO3blgMkZCyEb93fAcNREORgwBMw1BkbNHTn+LkvokBOVt37LU +# pTxBKYO67uiL733sYGq8Ih9lU7ZCojoexhaQ9vgD1XlQ0uY+A+QpZ/GjuwrsjK6r +# s97i8tUqeN3+ZE8m2D/6aOJdGzAwoIBUfpXRBx9jz/C4jmp3Z5k= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Remove-WDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Remove-WDACConfig.psm1 index 620f21b9c..1d28a4b09 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Remove-WDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Remove-WDACConfig.psm1 @@ -54,7 +54,7 @@ Function Remove-WDACConfig { } # Count the number of duplicate CNs in the output array - [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object { $_ -eq $InputCN }).Count + [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object -FilterScript { $_ -eq $InputCN }).Count # If the certificate with the provided common name exists in the personal store of the user certificates if ($Output -contains $_) { @@ -455,8 +455,8 @@ Register-ArgumentCompleter -CommandName 'Remove-WDACConfig' -ParameterName 'Sign # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD70x6RuO6CSBrI -# 0NG0p76yRtaFoSYxVDoWYBG7zIR88aCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCB3e2uK/BNmaZad +# Y6oeXDFVS92d47ftgq6yPcn0joNAzqCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -503,16 +503,16 @@ Register-ArgumentCompleter -CommandName 'Remove-WDACConfig' -ParameterName 'Sign # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgn4jZPW2UJAdyyUQ/oKUYwjaJkB4qfNHf+TynA+MbeGEwDQYJKoZIhvcNAQEB -# BQAEggIAmZnguxvrm9E9jRYdz+6RTAFVIvBAGLBUWMSzMv1OprsA1VPxYZGl29pn -# zC6R74GjzBe8XqoTZbUScWZG7TV/YalziYafj5mS2TlKNVN2nGU5KGlccYT+Ro4/ -# Yf1B/+NInl3Xnu3/JbofCPf0G2Fdb8OC0SZJD6ZoLqLB4qvJdMRhU3dSAvgDaQ39 -# SExY6RqZv8nFzHFdaqTdLH1CZ0qq17zThQcY7FYs6Bc8HyOwHlc9jOTsOvq5vVS2 -# yrAv4J4ZM1mv2/7tRzIHhe8GlHBhq7tEJ4CQSvt/56CP+XdfFkdFI35B/rw1ccIP -# Oy33u2IxaX12fQUX49DS11DNDR3PtKRW3qouM0Z3GwZ6Ikhzw5hXY54l1DtcXAh0 -# xoQw6uFkKCyIgxsNHycMppPy7ugp1ekQOgJ4UcxvxSU8VQA0trJftLIQ5xkJZ0Ex -# nMOubVB7ee2f9Pe8WU88u95HQMCHltS2V7l+0jiKETZs/Q2fCnnJVEqiirLQscBG -# 7nMS2gp18wmt09E+UkFBMSY7cdCOK49DsE+VF/0XycM4XnujjU6n554HpKE5lwor -# 9T6TIQRPxKhaXnq/zWbBx4LZ8JVmM7ZdzFsyBn/t9Y+5eYZGXMdEwnLAGa7bsS+g -# E7VGatMrOgEB/SjQy74SuE0WwIHxIO+13OxZa+lh63Sw2mY2BzY= +# IgQgmki1IWersNkR3U2DtZZCYJ6fq/wuXsk8CYtkA6K6SXMwDQYJKoZIhvcNAQEB +# BQAEggIATFUO6nWaM2gOef7zRdcreBoN7XDckaAtsYQp5OadUh4ltyegqPfp+YsZ +# BcRqoq9bLvgJu/pChRnjV3ci61e2us2oNKTbhs6+LrL0afaTGBDvooWuyywsgAh5 +# 0raNhMFDU5GjvEjp8CwZlbiE4eZoUwrLHgf3DGg9kUJEQqhL4Qcn1THcHxzi3tnA +# Pe+AYGPztjl7YyJOhAe7XMOGxbLT6C179aHQ/HKCvKu2318HeEAKveIADuMXOG4z +# CP3fWTHo8O+t6geVOXu9Lq1IYW1aydgQl+qrCSaLlWqvkcgLhjc+Rz/ZivFAi8sT +# md2RKv49zcr3wuEFI/54udFJTTk6K+UimKg47kbxSD5nwkwAzR790cMICWVunwRJ +# wNqwbUbVk6mF5eTV2R5oI5VBjektiEQrGPqAo/tD2G7gV5M/1Ugb2pXkhhxdCpIk +# u72+KkTTMCsWS3vCY4avWx09UvWP5+JNUVDIo3yfhsRojUa+mnqi2AyvXo1p6rUF +# aTZ1g41l4BKQc5rxsetAS5LFDq0UpUms6g1R7NkiH82kvHPCQ1LQO+ltv/vhFVrV +# UAQy97DSEpo+wpm13ym79Fmta6gtkgkPKFpYhklfHP3cwdJa5GOa+j2oMg0U9hCm +# 41iw1ca9RXNjleTza3+4PMqTYiIGaONyY2yhYzoGoWixYp02Cvs= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 index 2233e9165..56ae4ffb2 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 @@ -31,7 +31,7 @@ Function Set-CommonWDACConfig { } # Count the number of duplicate CNs in the output array - [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object { $_ -eq $InputCN }).Count + [System.Int64]$NumberOfDuplicateCNs = @($Output | Where-Object -FilterScript { $_ -eq $InputCN }).Count # If the certificate with the provided common name exists in the personal store of the user certificates if ($Output -contains $_) { @@ -301,8 +301,8 @@ Register-ArgumentCompleter -CommandName 'Set-CommonWDACConfig' -ParameterName 'U # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCbaTPxut07ludE -# hgrb6S0viAn6W5D1ZfiVKbk4EDmOKaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDvydZ1B4hmnI1M +# jXwB27oRi3S7L87lHsWYKSW5sRIc+qCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -349,16 +349,16 @@ Register-ArgumentCompleter -CommandName 'Set-CommonWDACConfig' -ParameterName 'U # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQg2M1oZxW8hdN+8+5K5mo9J5aaTDn6V3NZVFUm7KhICAUwDQYJKoZIhvcNAQEB -# BQAEggIAJD+3rY25bsXsVcO6clUJiXMejCSQcVH/pZHc+4alDynKhOySVBfW40pI -# iwVX5d2MWQW0HTD6hrL9stlLVOtZFP1fWg5lrBzF+5+Ate0zIKerY9e8kGmZq5KG -# ZiqUS643LJWJxd6hWbAcE9M/rfBxHSke7gQ3iH12QjoMtUPFIqNubKJdndWBu/Y2 -# l0+aB+6n88d9ZDn903D6DZsmDQJSneLMiAlH37x8MXVDGQJs18GP6G9w0nP/VOjN -# qBxQDPSOGZ1QPqzp5psbl7MiHjQCxPlub9+gZA50tO8NsXeD6zcVXtcNBCIfRcx4 -# /bMRDDbwrSjPuOj7fN3hH3R+f46BWmd6rNJSDCsPugVPQ6evrrPuB9GtyXyBa1/E -# yB22/ztpmWkVG1fJ6fnfAelxNr4DD+VghX1icD7Eb1aQD0tc8Oakn3WB/ed5zTwz -# PPbsKxqyCu5KWyJTGH8uhd+8Vx8VkCiMPsdY0CJ7Bya+CkasZHzml/VoIfq2qDoz -# Vt/vVqG0k2iY4CNA7qUj/JIf4lwpTfpvbN4IX7Fvrv93RPcMVPtLxZtwlmLXGSj5 -# 8+/6H3xYXZfi58sBUUPEQP5dEZynBYPPpB3oLgH8AHq7ypf/TAyY1syEsT/5RuV6 -# aiBmcHz5VkelhHshzHnjTRVS++dJLp58P6oPgKAd8b9GCxhj67k= +# IgQgnYxLESlel8gN+L6YTq9gHWVrRHYNCYo6cYTiRY0iqGwwDQYJKoZIhvcNAQEB +# BQAEggIAoORtTaM23NLSG6UGI6D6A6DEQnm4YDU0sXS54HYeHrqG0/00c+5YeGXz +# K3uSehoI3nBIToV2PbRjoXC246D7epOpLzNDFxxIHyDgvIq0fcABiRQURMD9yKyy +# 8WTqcTjORVyDAy3SmKnByaOvXWx9y09fxpU5DY89YgfqBJc/yJ9Z7AsTYM8wx9Oq +# HiE1Cx1KdtZY7txLf1xnKp90xpKO7EwTdwM/OKlp22nVN6zmTVM1HWNcfUJ5Z/rQ +# ZVEkJr1U/88G/vck9qetoG5t95u2U1NrUXgMlFM+O4lLTj835NEzGq/Dbtq7Gf4+ +# TMQnBcTMB8yjXnNslI+r33peEES/mERc4lWNcIvFvijUMCUExSSAHZcstE89Abj3 +# hVVFYZVTvUGEXHvlqr11b7snaOYjIaXlcLCclSn0766QC8nPMQzgpLTqvk2E394E +# wzwfz+QR1ZC3bFH+Iu6NLmc/IpoTi2Sbnt2mkaN2dCLSxfZ0wtfASRRHur2yJqgT +# PYN198CFL2lBh0gvpdfXf83CGDYSCXHfhEvEtPWgwzFViU74ZR9xw8/7Q7x25A3T +# 79C01LFNvywN5fn90SsoDmDGoLA4fiOLC1puMeokZojxoFyP5vKJHIGY4WN0mrdW +# Xm8YR1i4SiOoQH/ORqHJnvysC9AX9WmvbFnX7uQtA5iVSTJBHrY= # SIG # End signature block From b4d57f66f3ed256809dba22e000e19b9f06a3eee Mon Sep 17 00:00:00 2001 From: Violet Date: Sun, 21 Jan 2024 20:47:54 +0200 Subject: [PATCH 06/19] Created Get-KernelModeDriversAudit function Used to create full of symbolic links to kernel mode drivers for scan for strict kernel mode WDAC policy --- .../CoreExt/PSDefaultParameterValues.ps1 | 29 ++-- .../Shared/Get-KernelModeDriversAudit.psm1 | 155 ++++++++++++++++++ .../WDACConfig Module Files/WDACConfig.psd1 | 3 +- 3 files changed, 172 insertions(+), 15 deletions(-) create mode 100644 WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 diff --git a/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 b/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 index 352c3c8b7..25b3dc198 100644 --- a/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 +++ b/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 @@ -25,14 +25,15 @@ $PSDefaultParameterValues = @{ 'Write-ColorfulText:Verbose' = $Verbose 'New-SnapBackGuarantee:Verbose' = $Verbose 'Compare-SecureStrings:Verbose' = $Verbose + 'Get-KernelModeDriversAudit:Verbose' = $Verbose 'Test-Path:ErrorAction' = 'SilentlyContinue' } # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAq/YkLjJjtBehP -# sLXkIUKnijkmyTYFBvH3HE7h2gQ3laCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAavzUGHdyJ3I+w +# OIj3l5bxX1qsMhDsElMnxwsFZooSLaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -79,16 +80,16 @@ $PSDefaultParameterValues = @{ # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgBsVei4uZFqCjRJkjIYhhDwoTfFDtLMT88a35joPnAF8wDQYJKoZIhvcNAQEB -# BQAEggIAHEeRWySIQRkKPzBdxU9+e7tCA4h9EBxWKsoy3+gwz6Erd6F1iGJNQ5lH -# pJVzLKO5AQB2aFK8of9x2q2aD9mzMrZSj34QvNUfN/XmW77zGZCYdGSt0wKz0Ix8 -# vUStrzhUgxioVuTJZLfSSEHohQqUJ8PI/acgqwq2C34HFREa4jjBaA6j41R20vMO -# RipGVrAtSbzSLpfLpXeoZrmuxugaURNJjZboNf1FVz+Odll6PoaFNGyuOuwyzbGF -# kSE/KTLt2lXpwkkLZRCyQC4KnDJ/F58HUDfh4iquS8jz9A7CzNueyI4LBkxfiadR -# HCIx99U5lZ7HutxiNDkW6SdHcHIxxCADWDciuoX3N/fz6UibFbr98B4Oo4Z2lMKc -# /2gYi/x7BO0ikJ5t1k5+/MA6OHTrPKpSiz1xUkeEX2bBT5stz/Qnx0sjZBLKu53h -# J2+i+C5aM5XghJxYjl2y5wickHkIOqESqvMgmPuEAiKyU+08D4/0+lgt8HXNIq9F -# QBJOsgA1538fEOvZaP5069JrIiHtnu6uKM+GzHnQqq9PHRyS5uTEd+9TjVueKyCj -# ePhBhUQbVV78x7hIVN8YuYHv+AR3scopNHTkbbqxQrPeL3BAlgHKoS5ki8RUQbFU -# Ug4dxa6QYqx7Da146FkklYBI/02EPQLnnZQ4UfTzLH62ZTmeShQ= +# IgQgu8iEkljlv5xO0xI4cExICeQZT/joQoFv2ddHPFszyigwDQYJKoZIhvcNAQEB +# BQAEggIAlQUdwg8+wtYdrpbyscx+grjjQLH7KVm9872qnH7eLnWgDTd+xFnsy6EM +# Zk7pGSyYt+Dx6/oWE9SU2+dCjCOq0/eFyTlhC+Jy4Mt7ZsneBaLWHBzNeI+DT4bM +# qylINYjgHqbMQtgL1rcwH6gZh12UBcVHuNuwyguFSm0SbCZKWEId/Q2A8EAlaf0A +# 2/HUZEs278x5MZ5MBIYP4RKHFLTvxUl3XG+7+OZGBVw7VevCcBXQtjMgKoYxjtt9 +# fHt1unFBeGCzVjEE5i/QEnYucX/uzTIdlk9Aq6nScNXwltdWFQdrZNPkSXtyU5do +# CZH+wbEF9V3IN9ycjtqvNgb3LLhCzGaq4rdXtRZO1Tu5RP70FjILHlftXjYU/45Q +# Jo7hJph1KLZmrCIbrgFRe9F+GBN3uiU6stbiTnDW0oQibXRb+fWrOdB8F1EnxUaG +# g/fbbeoSYOZ0WMhI0exosr8yWJIUAKxKkmIttPvb84B10qTk0uZ4sWtaT68wbj3t +# F3y9t21bXWmZ9vKl/8WgNV0yZwUMyFPpRD4z00v+eHoSfAwGqdqLgyOXgGIYPvv2 +# I55El6cZc2bfdjHi2XFle8ufqNIbUVYDwlq7+GknPMGIqZwH46BMNZj0q+ZBOPeE +# fro+r3uD/Kelphb3TG+djHoBBGwDtUp0zlSZ6dlapMFNJ/IIWVA= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 new file mode 100644 index 000000000..88d4e4d4d --- /dev/null +++ b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 @@ -0,0 +1,155 @@ +Function Get-KernelModeDriversAudit { + <# + .DESCRIPTION + This function will scan the Code Integrity event logs for kernel mode drivers that have been loaded and will return a folder containing symbolic links to the driver files. + .PARAMETER Date + The date from which to start the scan + .INPUTS + System.DateTime + .OUTPUTS + System.IO.DirectoryInfo + #> + [CmdletBinding()] + param( + [Parameter(Mandatory = $true)][System.DateTime]$Date + ) + begin { + # Importing the $PSDefaultParameterValues to the current session, prior to everything else + . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" + + # Importing the required sub-modules + Write-Verbose -Message 'Importing the required sub-modules' + Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Get-GlobalRootDrives.psm1" -Force + + # Get the local disks mappings + [System.Object[]]$DriveLettersGlobalRootFix = Get-GlobalRootDrives + + [System.IO.FileInfo[]]$KernelModeDriversPaths = @() + [System.Object[]]$RawData = @() + } + + process { + # Event Viewer Code Integrity logs scan for Audit logs based on the input date + foreach ($event in Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; ID = 3076 } -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.TimeCreated -ge $Date } ) { + + # Convert the event to XML + $Xml = [System.Xml.XmlDocument]$event.toxml() + + # Convert the XML to a PowerShell object + $Xml.event.eventdata.data | ForEach-Object -Begin { $Hash = @{} } -Process { $Hash[$_.name] = $_.'#text' } -End { [pscustomobject]$Hash } | ForEach-Object -Process { + + # Define the regex pattern + [System.String]$Pattern = '\\Device\\HarddiskVolume(\d+)\\(.*)$' + + # Replace the global root file paths with the drive letters to create consumable paths + if ($_.'File Name' -match $Pattern) { + [System.Int64]$HardDiskVolumeNumber = $Matches[1] + [System.String]$RemainingPath = $Matches[2] + [PSCustomObject]$GetLetter = $DriveLettersGlobalRootFix | Where-Object -FilterScript { $_.devicepath -eq "\Device\HarddiskVolume$HardDiskVolumeNumber" } + [System.IO.FileInfo]$UsablePath = "$($GetLetter.DriveLetter)$RemainingPath" + $_.'File Name' = $_.'File Name' -replace $Pattern, $UsablePath + } + # Add the processed object to the array of raw data + $RawData += $_ + } + } + + Write-Debug -Message "RawData count without processing: $($RawData.count)" + + Write-Verbose -Message 'Removing duplicates based on SHA256 hash' + $RawData = $RawData | Group-Object -Property 'SHA256 Hash' | ForEach-Object -Process { $_.Group[0] } + + Write-Debug -Message "RawData count after deduplication based on SHA256 hash: $($RawData.count)" + + Write-Verbose -Message 'Saving the file paths to a variable' + [System.IO.FileInfo[]]$KernelModeDriversPaths = $RawData.'File Name' + + Write-Verbose -Message 'Filtering based on files that exist with .sys extension' + $KernelModeDriversPaths = $KernelModeDriversPaths | Where-Object -FilterScript { ($_.Extension -eq '.sys') -and ($_.Exists) } + + Write-Debug -Message "KernelModeDriversPaths count after filtering based on files that exist with .sys extension: $($KernelModeDriversPaths.count)" + + Write-Verbose -Message 'Removing duplicates based on file path' + $KernelModeDriversPaths = $KernelModeDriversPaths | Group-Object -Property 'FullName' | ForEach-Object -Process { $_.Group[0] } + + Write-Debug -Message "KernelModeDriversPaths count after deduplication based on file path: $($KernelModeDriversPaths.count)" + + Write-Verbose -Message 'Creating a temporary folder to store the symbolic links to the driver files' + [System.IO.DirectoryInfo]$SymLinksStorage = New-Item -Path ($UserTempDirectoryPath + 'SymLinkStorage' + $(New-Guid)) -ItemType Directory -Force + + Write-Verbose -Message 'Creating symbolic links to the driver files' + Foreach ($File in $KernelModeDriversPaths) { + New-Item -ItemType SymbolicLink -Path "$SymLinksStorage\$($File.Name)" -Target $File.FullName | Out-Null + } + } + end { + Write-Verbose -Message 'Returning the folder containing the symbolic links to driver files' + return [System.IO.DirectoryInfo]$SymLinksStorage + } +} +Export-ModuleMember -Function 'Get-KernelModeDriversAudit' + +# SIG # Begin signature block +# MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor +# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCCVwYUxeLU4oL2 +# u4Zs3B/OfgzrhUfAnEFUA+9IWd96kaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj +# b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT +# C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 +# MQswCQYDVQQGEwJVSzEeMBwGA1UEAxMVSG90Q2FrZVggQ29kZSBTaWduaW5nMSMw +# IQYJKoZIhvcNAQkBFhRob3RjYWtleEBvdXRsb29rLmNvbTElMCMGCSqGSIb3DQEJ +# ARYWU3B5bmV0Z2lybEBvdXRsb29rLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP +# ADCCAgoCggIBAKb1BJzTrpu1ERiwr7ivp0UuJ1GmNmmZ65eckLpGSF+2r22+7Tgm +# pEifj9NhPw0X60F9HhdSM+2XeuikmaNMvq8XRDUFoenv9P1ZU1wli5WTKHJ5ayDW +# k2NP22G9IPRnIpizkHkQnCwctx0AFJx1qvvd+EFlG6ihM0fKGG+DwMaFqsKCGh+M +# rb1bKKtY7UEnEVAsVi7KYGkkH+ukhyFUAdUbh/3ZjO0xWPYpkf/1ldvGes6pjK6P +# US2PHbe6ukiupqYYG3I5Ad0e20uQfZbz9vMSTiwslLhmsST0XAesEvi+SJYz2xAQ +# x2O4n/PxMRxZ3m5Q0WQxLTGFGjB2Bl+B+QPBzbpwb9JC77zgA8J2ncP2biEguSRJ +# e56Ezx6YpSoRv4d1jS3tpRL+ZFm8yv6We+hodE++0tLsfpUq42Guy3MrGQ2kTIRo +# 7TGLOLpayR8tYmnF0XEHaBiVl7u/Szr7kmOe/CfRG8IZl6UX+/66OqZeyJ12Q3m2 +# fe7ZWnpWT5sVp2sJmiuGb3atFXBWKcwNumNuy4JecjQE+7NF8rfIv94NxbBV/WSM +# pKf6Yv9OgzkjY1nRdIS1FBHa88RR55+7Ikh4FIGPBTAibiCEJMc79+b8cdsQGOo4 +# ymgbKjGeoRNjtegZ7XE/3TUywBBFMf8NfcjF8REs/HIl7u2RHwRaUTJdAgMBAAGj +# ggJzMIICbzA8BgkrBgEEAYI3FQcELzAtBiUrBgEEAYI3FQiG7sUghM++I4HxhQSF +# hqV1htyhDXuG5sF2wOlDAgFkAgEIMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA4GA1Ud +# DwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYB +# BQUHAwMwHQYDVR0OBBYEFOlnnQDHNUpYoPqECFP6JAqGDFM6MB8GA1UdIwQYMBaA +# FICT0Mhz5MfqMIi7Xax90DRKYJLSMIHUBgNVHR8EgcwwgckwgcaggcOggcCGgb1s +# ZGFwOi8vL0NOPUhPVENBS0VYLUNBLENOPUhvdENha2VYLENOPUNEUCxDTj1QdWJs +# aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u +# LERDPU5vbkV4aXN0ZW50RG9tYWluLERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRp +# b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgccG +# CCsGAQUFBwEBBIG6MIG3MIG0BggrBgEFBQcwAoaBp2xkYXA6Ly8vQ049SE9UQ0FL +# RVgtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp +# Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Tm9uRXhpc3RlbnREb21haW4sREM9Y29t +# P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0 +# aG9yaXR5MA0GCSqGSIb3DQEBDQUAA4ICAQA7JI76Ixy113wNjiJmJmPKfnn7brVI +# IyA3ZudXCheqWTYPyYnwzhCSzKJLejGNAsMlXwoYgXQBBmMiSI4Zv4UhTNc4Umqx +# pZSpqV+3FRFQHOG/X6NMHuFa2z7T2pdj+QJuH5TgPayKAJc+Kbg4C7edL6YoePRu +# HoEhoRffiabEP/yDtZWMa6WFqBsfgiLMlo7DfuhRJ0eRqvJ6+czOVU2bxvESMQVo +# bvFTNDlEcUzBM7QxbnsDyGpoJZTx6M3cUkEazuliPAw3IW1vJn8SR1jFBukKcjWn +# aau+/BE9w77GFz1RbIfH3hJ/CUA0wCavxWcbAHz1YoPTAz6EKjIc5PcHpDO+n8Fh +# t3ULwVjWPMoZzU589IXi+2Ol0IUWAdoQJr/Llhub3SNKZ3LlMUPNt+tXAs/vcUl0 +# 7+Dp5FpUARE2gMYA/XxfU9T6Q3pX3/NRP/ojO9m0JrKv/KMc9sCGmV9sDygCOosU +# 5yGS4Ze/DJw6QR7xT9lMiWsfgL96Qcw4lfu1+5iLr0dnDFsGowGTKPGI0EvzK7H+ +# DuFRg+Fyhn40dOUl8fVDqYHuZJRoWJxCsyobVkrX4rA6xUTswl7xYPYWz88WZDoY +# gI8AwuRkzJyUEA07IYtsbFCYrcUzIHME4uf8jsJhCmb0va1G2WrWuyasv3K/G8Nn +# f60MsDbDH1mLtzGCAxgwggMUAgEBMGYwTzETMBEGCgmSJomT8ixkARkWA2NvbTEi +# MCAGCgmSJomT8ixkARkWEkhPVENBS0VYLUNBLURvbWFpbjEUMBIGA1UEAxMLSE9U +# Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw +# GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC +# NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx +# IgQgcPlRHs4DGAT7Ypsxs7QxZt+D2uYsPGpBEHwPvNY9x6AwDQYJKoZIhvcNAQEB +# BQAEggIAgoBr0TW0sqDUZrlMFQ+SKi5DvoRvwshfwhueYHXKiyWGT/jmhEugjWb+ +# AykKn9zUPxB/t5AVPE6nAtrb8hZvoWxxdcUfiEohjRILFTAHQIP/RvuwMDgtZtDi +# wS16WL+rfWDDReWOuTvdDPnj45YWCs0yzx90wIg73/JTG/RqxBlc6ObK2Pkv2nzQ +# dNA3DQwJbSBXn6BQ7pEXvj4bB0/iPIgcm7clvVjBZNiLu6aTIz7M3PpbZF28xwIb +# SC54U+gf+HJTtbqjRkRJy/AaLZw9WAqS2Yqt04iGX9XWbzkQO9qsLTRc0geF/Aeg +# CPRDer9nh0iaHmI1zcgkXPo7i6EGiyOAML9CspjeH+YoiA/Sfn2rUBRT+0mRIWsv +# ehYOJHCEU2EfC4YpRY81338ndBwjzBkg4vAqUPXcopg/5mO2QNnNha9KMzxVVLOP +# I58mNmJNX4qPRBj5jm175JZ9Cp6An247jo9eD1T/g6Kss21MwgwW8r8tmN16OFg0 +# l4dj/fmEMfyd0/zSZpgN5OVO+S1e+vpCAyy4+Q0tg8vlDdr9A/2Lm2mcO8doDHjG +# n3PR6jhnsyvBPnGWVQsLymPvFYKrA9kms4RgkJGTbz1480qKcONg7QrlSf0fwQFT +# 1YjAPN5Cbx6BFNRRe61kyACWUtyJc65kP1oDJZBPcA5SYZ0Omp8= +# SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 index 98f6b91f9..b95ddbcff 100644 --- a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 +++ b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 @@ -217,7 +217,8 @@ To get help and syntax on PowerShell console, type: 'Shared\Update-self.psm1', 'Shared\Write-ColorfulText.psm1', 'Shared\New-SnapBackGuarantee.psm1', - 'Shared\Compare-SecureString.psm1' + 'Shared\Compare-SecureString.psm1', + 'Shared\Get-KernelModeDriversAudit.psm1' ) # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. From d0af09a1a8b84bbb03e5a4a985033bbc294b1ba5 Mon Sep 17 00:00:00 2001 From: Violet Date: Sun, 21 Jan 2024 20:57:25 +0200 Subject: [PATCH 07/19] Added New property to the user configurations Strict Kernel-Mode Policy Time Of Deployment is used internally by the module to track the deployment time of the kernel mode policy --- .../Core/Get-CommonWDACConfig.psm1 | 34 +++++----- .../Core/Remove-CommonWDACConfig.psm1 | 60 +++++++++++------- .../Core/Set-CommonWDACConfig.psm1 | 62 ++++++++++++------- .../Resources/User Configurations/Schema.json | 18 +++++- 4 files changed, 108 insertions(+), 66 deletions(-) diff --git a/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 index 6cf1124aa..074971890 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 @@ -9,7 +9,8 @@ Function Get-CommonWDACConfig { [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$StrictKernelPolicyGUID, [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$StrictKernelNoFlightRootsPolicyGUID, [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$Open, - [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$LastUpdateCheck + [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$LastUpdateCheck, + [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$StrictKernelModePolicyTimeOfDeployment ) begin { # Importing the $PSDefaultParameterValues to the current session, prior to everything else @@ -85,6 +86,7 @@ Function Get-CommonWDACConfig { $StrictKernelNoFlightRootsPolicyGUID.IsPresent { return ($CurrentUserConfigurations.StrictKernelNoFlightRootsPolicyGUID ?? $null) } $CertPath.IsPresent { return ($CurrentUserConfigurations.CertificatePath ?? $null) } $LastUpdateCheck.IsPresent { return ($CurrentUserConfigurations.LastUpdateCheck ?? $null) } + $StrictKernelModePolicyTimeOfDeployment.IsPresent { return ($CurrentUserConfigurations.StrictKernelModePolicyTimeOfDeployment ?? $null) } Default { # If no parameter is present Return $CurrentUserConfigurations @@ -120,6 +122,8 @@ Function Get-CommonWDACConfig { Shows the GUID of the Strict Kernel no Flights root mode policy .PARAMETER LastUpdateCheck Shows the date of the last update check +.PARAMETER StrictKernelModePolicyTimeOfDeployment + Shows the date of the last Strict Kernel mode policy deployment .PARAMETER Verbose Shows verbose messages .INPUTS @@ -135,8 +139,8 @@ Function Get-CommonWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCB8scDw743FvNRg -# SVRHp4ncdlz+d6ZSFYQPG4yW4UyabaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC8P0XmKyElTfS/ +# K9nWI1KbxOzFTMCLdLhBmXgi1FoGYaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -183,16 +187,16 @@ Function Get-CommonWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgcci4IleKz9D3ELexV2ZgwFb5q0tPXwCuFH1vh+hl5tQwDQYJKoZIhvcNAQEB -# BQAEggIAmMbSUG2ytAHbCHe9uIBR5mky5S1ZdG75MwMxfoO3Evs0II6Jpr+1nn3h -# p7MWUtvhsVjcipESslErq+KEpBiiPD6JlrCMXspekD7j8Rf4RbGaEdQNu+B8KaN+ -# WPu1rwUJKMIKAkOffk6viq9J4putvXPJz6xv1q+Xn+B9mnq6bLbgQ9oinUexsC4j -# 6bhb3ClU6I1YYD1mRzmAvr8X5NGjFYRwCaAzsG5af3ug8+YVIFUI4Doey+pkYGFK -# HKMTpwh3sKgyB2b+cNKre8IVacP3IaD1DTfx9i1XuvW+uCtIdULAy2Ms3rV0Lj6y -# fIWfNRhLON7+ivwyFZcnQyFY8REJP53CU+o3DkZvS/tntkZSzkm6oLzNiO6xO3M9 -# +64Z10aepoDsD7bKz++KQcmD6RCvf+YizZRRL3TQoaVwi8iZorCwBbkylgh21zMb -# X13T1n0L4gfhr4VV2gC5FzVcG93PXKBK5B05rs7s+u9ancHBW8ZFTR9u2SSLBGO5 -# viSOz/wPQzV5YfWeZFyp/YctJeRPECejwDEArJJpYn3+8wQCnl0mn9Sde5f7mkdA -# JIe056KGigUSad0zU2d+enHvqwgBXU4XPJUe8Bzp54Wg9D0teaJFPkBZvna1FU+U -# M7kF2YNtSdlO4kDIRHe3/Jg+1j6nwJ1vDRJ0lJh4EwSAzi5288A= +# IgQgLSHCTTvyins1zX+bfmyntMUfG2IvRLoBpgYiQvVrSMIwDQYJKoZIhvcNAQEB +# BQAEggIAmQyNu1SIApHAzFADfwWf0H+mRzn1aVwLHOENIErTigU6NbhF+yIrb5BI +# 0Q6XOzgrwz5c/0QUbrdZR4/H/empNzziS8dCpbXnRNBfvfDeoil2t7ic/+O00eQY +# cl3vEVf5+UQcchQUBz5XaSA5FhLrT0SRmbh4huNQisbc55vZAu0hB8+7cAU26+nZ +# KlTsIlGV+EXTWQtQ3/RbXnoGTRUyPBygdolIVv2HZS35RbAqgyIy43Zhltmn2gAl +# zBuaNF86jMnBGAKFXkugHa2UtgVjcnuWjZinhvShzE8tfcjVK8+ODxkUgPzDVhdy +# v/AOZKHe6Mf26wxpKPgbxgz4UjYZpLf65mx2bUIm+wFUwHvtjALJsGndlgO2ar8O +# +RtsSBUxmnsdsvHeVClQ5+TD5IDiUgl3n4Y+Aq4VY2ooXAZV1jEtZlaYKlAJ3X7H +# YTqxX/apowB0Blfi5wcGZui16lCUQXFE67+YZYXy2IVHAIgAYzNXCq+VlVoVJ0TE +# KcRpTmnqTX7g0M0Y92kvq/rD3l3Rk12psemASF+5pfvlwgIfvG1aLvP01/IUVCsR +# tPkU8L181K6/ZCGJHGhn2+BRR8aXmg1GgtJKlyNLkjJMdKnAw+HihIpG37dYq0eT +# m+GyVura7bXCVwAF0aEAGkkBfiu14Oc4Tez0IdkqQTOgkOo8la8= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 index 51ee66bf3..05db02502 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 @@ -8,7 +8,8 @@ Function Remove-CommonWDACConfig { [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$SignedPolicyPath, [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$StrictKernelPolicyGUID, [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$StrictKernelNoFlightRootsPolicyGUID, - [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$LastUpdateCheck + [parameter(Mandatory = $false, DontShow = $true)][System.Management.Automation.SwitchParameter]$LastUpdateCheck, + [parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$StrictKernelModePolicyTimeOfDeployment ) begin { # Importing the $PSDefaultParameterValues to the current session, prior to everything else @@ -31,7 +32,7 @@ Function Remove-CommonWDACConfig { # Delete the entire User Configs if a more specific parameter wasn't used # This method is better than $PSBoundParameters since it also contains common parameters - if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck) { + if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck -And !$StrictKernelModePolicyTimeOfDeployment) { Remove-Item -Path $Path -Recurse -Force Write-Verbose -Message 'User Configurations for WDACConfig module have been deleted.' @@ -54,14 +55,15 @@ Function Remove-CommonWDACConfig { # A hashtable to hold the User configurations [System.Collections.Hashtable]$UserConfigurationsObject = @{ - SignedPolicyPath = '' - UnsignedPolicyPath = '' - SignToolCustomPath = '' - CertificateCommonName = '' - CertificatePath = '' - StrictKernelPolicyGUID = '' - StrictKernelNoFlightRootsPolicyGUID = '' - LastUpdateCheck = '' + SignedPolicyPath = '' + UnsignedPolicyPath = '' + SignToolCustomPath = '' + CertificateCommonName = '' + CertificatePath = '' + StrictKernelPolicyGUID = '' + StrictKernelNoFlightRootsPolicyGUID = '' + LastUpdateCheck = '' + StrictKernelModePolicyTimeOfDeployment = '' } } process { @@ -131,6 +133,14 @@ Function Remove-CommonWDACConfig { else { $UserConfigurationsObject.LastUpdateCheck = $CurrentUserConfigurations.LastUpdateCheck } + + if ($StrictKernelModePolicyTimeOfDeployment) { + Write-Verbose -Message 'Removing the Strict Kernel-Mode Policy Time Of Deployment' + $UserConfigurationsObject.StrictKernelModePolicyTimeOfDeployment = '' + } + else { + $UserConfigurationsObject.StrictKernelModePolicyTimeOfDeployment = $CurrentUserConfigurations.StrictKernelModePolicyTimeOfDeployment + } } end { # Exit the end block @@ -183,6 +193,8 @@ Function Remove-CommonWDACConfig { Removes the StrictKernelNoFlightRootsPolicyGUID from User Configs .PARAMETER LastUpdateCheck Using DontShow for this parameter which prevents common parameters from being displayed too +.PARAMETER StrictKernelModePolicyTimeOfDeployment + Removes the StrictKernelModePolicyTimeOfDeployment from User Configs .INPUTS System.Management.Automation.SwitchParameter .OUTPUTS @@ -199,8 +211,8 @@ Function Remove-CommonWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBwnQ3yYWMpbARb -# NpQTlcyW/3/sV8n4brBCREzm+wwO5qCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDszwPQD8yun8YB +# 8FSMSUrI/sSFwaoxSEk8T5BkHxJBY6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -247,16 +259,16 @@ Function Remove-CommonWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgEeoKBSE2p8Y0fmYtNTmD5YI8QU4I4klh9h3KDoRmBNIwDQYJKoZIhvcNAQEB -# BQAEggIAM24PfG5z2FMk7JTbNl0g9PFaDDJBtd2JaZETVTww9ITuHeprHiVqA88t -# wgKsIchLxzrg6xuiiJOPhSOrEiJ72M1e62+X565hL85fEwePLpVfQeqDAyuDHLvC -# S1gzcQa+R3tK6U3IxRJSDF8cwQg+6Pxzz21LZcGw/YNXrV0h0KS+S+jn98/RQU3J -# mkRCRW747jDjZZqs+ZAdBq5+FdhNk0IWN1EDYF/7ge6rnmT4OXetgsNZA0x09uhx -# KEqjVqI6rA1TmjIwXoudYfd8jeXP7x7wPvVZxeJZQqm5yW3RHDy5TY914lU7vafN -# +C7g9nP0yZgf2qJ9c7a1wSVo61zekSpVPJbR5g7TaxHoBcv8kDrxDnlP+bM7PHQ7 -# Mc554EIrdbGTx5AwPHzc/tcC01BPfgtGx0v2+NQr92j5DodptYEXdO/LsQn7+pQg -# yBJEFNNTtRNwxPMQd7hiP7nZkoXsQR3QCAOz2m61K9JP/kodNd2FK9QRgYbRjqet -# 84GtAjF9sFkDONkD/kXAeARVAWFPvRaYEP8SYDxp5ed5CQ/QiHcrWu46dOxfchHf -# Z9Jmkmlgw0sfszsPwl6lCuhqK+lJXNsAG3jcadHgzFzwRiDCEe7/Wzrg+nIqF62m -# ApHagvLwZHnYPfjIK3ISUDEQBLJM0DfbKE9+W/fk4gPnba0rWoE= +# IgQgTFEb5wHC6j5h0sY9HEZ2+PtB9b5b2cGJdmvIAY21JWwwDQYJKoZIhvcNAQEB +# BQAEggIAL4FQQTPx4KtfWQddJCtBfpottBnx0Hk3dFhhQzoREAXbgTFpyJPhpUO2 +# V+1Tr3Dw/2vEMi5rX4GgJ2WLOw9wz/TxiAyFo7GY/xYvuDVJyqMeyYBo4sYM5k7X +# rJ/Wn4uLHo182XXoFSX55dxgdbqTAC1z0IgJkFmNlWH/HS7sCU1e0afXv4b4X15p +# s2aw3Y5F7JEFOd/Y1Ri/nOPzDJt8V2Niluo7igu1P/rdtmPDDa21WfkLb1IL1bTA +# JmXwq8Wzm/rUWS4n4ETuckXFFHOO//ma5smCdR6BFYJZMkNL/1t2aoysxOjDESzm +# fcG+toQUer6zZu00g2fk78Xsdtouybv6L2k+62YO80FzmH16M9xeXmPeMtptHotM +# hBshIt9EBvSiHQtmQQCdBPNEGwwAxXG9U5OsP7pnh/UML7nPYey8nLYxg8CZVBxs +# qzSrXGpfzg2PBCDKDJmw4nw6xGc1efpyEuH7a4Vo8tjL3SNKinyP1cB8D3djWMrZ +# 5BAg+AdiGIofffgc7cNswdOK1kHxE5a7tWrCRjLtSqS2gp7nokdkl5HpwcLJbqlr +# F0Rnm8tqqk0JFAkW1MYmRMY9JGXQCC9Qdr+wxsqlLbnc/aBym72E2oDXpXw3HBau +# KZ+Yq9jl9Q069WfrFQf0ncgQZbL9dZjbi8zysTxIiK3I57HOxcA= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 index 56ae4ffb2..835ad66a1 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 @@ -95,13 +95,14 @@ Function Set-CommonWDACConfig { [parameter(Mandatory = $false, DontShow = $true)][System.Guid]$StrictKernelPolicyGUID, [parameter(Mandatory = $false, DontShow = $true)][System.Guid]$StrictKernelNoFlightRootsPolicyGUID, - [parameter(Mandatory = $false, DontShow = $true)][System.DateTime]$LastUpdateCheck + [parameter(Mandatory = $false, DontShow = $true)][System.DateTime]$LastUpdateCheck, + [parameter(Mandatory = $false)][System.DateTime]$StrictKernelModePolicyTimeOfDeployment ) begin { # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" - if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck) { + if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck -And !$StrictKernelModePolicyTimeOfDeployment) { Throw [System.ArgumentException] 'No parameter was selected.' } @@ -135,14 +136,15 @@ Function Set-CommonWDACConfig { # A hashtable to hold the User configurations [System.Collections.Hashtable]$UserConfigurationsObject = @{ - SignedPolicyPath = '' - UnsignedPolicyPath = '' - SignToolCustomPath = '' - CertificateCommonName = '' - CertificatePath = '' - StrictKernelPolicyGUID = '' - StrictKernelNoFlightRootsPolicyGUID = '' - LastUpdateCheck = '' + SignedPolicyPath = '' + UnsignedPolicyPath = '' + SignToolCustomPath = '' + CertificateCommonName = '' + CertificatePath = '' + StrictKernelPolicyGUID = '' + StrictKernelNoFlightRootsPolicyGUID = '' + LastUpdateCheck = '' + StrictKernelModePolicyTimeOfDeployment = '' } } process { @@ -220,6 +222,15 @@ Function Set-CommonWDACConfig { Write-Verbose -Message 'No changes to the Last Update Check property was detected.' $UserConfigurationsObject.LastUpdateCheck = $CurrentUserConfigurations.LastUpdateCheck } + + if ($StrictKernelModePolicyTimeOfDeployment) { + Write-Verbose -Message 'Saving the supplied Strict Kernel-Mode Policy Time Of Deployment in user configurations.' + $UserConfigurationsObject.StrictKernelModePolicyTimeOfDeployment = $StrictKernelModePolicyTimeOfDeployment + } + else { + Write-Verbose -Message 'No changes to the Strict Kernel-Mode Policy Time Of Deployment property was detected.' + $UserConfigurationsObject.StrictKernelModePolicyTimeOfDeployment = $CurrentUserConfigurations.StrictKernelModePolicyTimeOfDeployment + } } end { @@ -274,6 +285,9 @@ Function Set-CommonWDACConfig { .PARAMETER LastUpdateCheck Last time the Update policy was checked for updates Used internally by the module +.PARAMETER StrictKernelModePolicyTimeOfDeployment + Time of deployment of the Strict Kernel-Mode policy + Used internally by the module .INPUTS System.IO.FileInfo System.DateTime @@ -301,8 +315,8 @@ Register-ArgumentCompleter -CommandName 'Set-CommonWDACConfig' -ParameterName 'U # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDvydZ1B4hmnI1M -# jXwB27oRi3S7L87lHsWYKSW5sRIc+qCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBHxIiNU7o+q6b9 +# V1eNfRNbU7FA2dSYVsWh2gcoN1WDXaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -349,16 +363,16 @@ Register-ArgumentCompleter -CommandName 'Set-CommonWDACConfig' -ParameterName 'U # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgnYxLESlel8gN+L6YTq9gHWVrRHYNCYo6cYTiRY0iqGwwDQYJKoZIhvcNAQEB -# BQAEggIAoORtTaM23NLSG6UGI6D6A6DEQnm4YDU0sXS54HYeHrqG0/00c+5YeGXz -# K3uSehoI3nBIToV2PbRjoXC246D7epOpLzNDFxxIHyDgvIq0fcABiRQURMD9yKyy -# 8WTqcTjORVyDAy3SmKnByaOvXWx9y09fxpU5DY89YgfqBJc/yJ9Z7AsTYM8wx9Oq -# HiE1Cx1KdtZY7txLf1xnKp90xpKO7EwTdwM/OKlp22nVN6zmTVM1HWNcfUJ5Z/rQ -# ZVEkJr1U/88G/vck9qetoG5t95u2U1NrUXgMlFM+O4lLTj835NEzGq/Dbtq7Gf4+ -# TMQnBcTMB8yjXnNslI+r33peEES/mERc4lWNcIvFvijUMCUExSSAHZcstE89Abj3 -# hVVFYZVTvUGEXHvlqr11b7snaOYjIaXlcLCclSn0766QC8nPMQzgpLTqvk2E394E -# wzwfz+QR1ZC3bFH+Iu6NLmc/IpoTi2Sbnt2mkaN2dCLSxfZ0wtfASRRHur2yJqgT -# PYN198CFL2lBh0gvpdfXf83CGDYSCXHfhEvEtPWgwzFViU74ZR9xw8/7Q7x25A3T -# 79C01LFNvywN5fn90SsoDmDGoLA4fiOLC1puMeokZojxoFyP5vKJHIGY4WN0mrdW -# Xm8YR1i4SiOoQH/ORqHJnvysC9AX9WmvbFnX7uQtA5iVSTJBHrY= +# IgQg5273QWtivzOloetAzDmgj/wLSqrBBkcK87O4cRxbJBUwDQYJKoZIhvcNAQEB +# BQAEggIAY0drdjgbNpX/e8fcAsz7D1uYksXEqa/ERDzQAjZe0FY0kG1Aim/+BERi +# UNvCGJENM4f2Vx91YtbBIGAWhUBURNnfYZXZjhaiR9awjOIg895/nPx9jMe9OBSb +# vdZdF66TPLjPjrG+RHYHYC3bbzxGonwCXYrdgMyMbOAkCBrT4DRGYwpOwgfRxKqh +# y3fr0YxYHhDIAOtvFkPytonNmSk99clycsyjUn3lKPqD3+AE6WMnwwgSMOjTx2Ao +# DLew6hBMLMHakV3EKr3Fjcp7JA2uacRAoDhAfH6+YU5gLbI8WJ1InidN2xk3VnID +# inxL07QdaZ9vpCJyzZJC58EYualO1RZz9QL7xuYuAC6UsHdZy0aLT/aqspPutQFN +# dZSkUJDmocpKMP/RLclCctl4YG8z2SI4D2bw4kEnxjzS4JNmKlqtEm1hcg7KL16k +# rTNbUs44pP2YYzaw4AvPdRvjqfvCIRXsco1BNidV08g6OigKnDp6RiCAvHe+a2RI +# 5kEKeywqyfe9kFc5PzyISu0IHP2VQfmwb5Kip+D8Uqlsx4CPaSsqAG+5nrjyApgD +# 479t2SQUutfkATez2EgT5d+tJ9DU1oI09xzd5/91Pe81WeyqOBrvP9B9O+D3uorZ +# MXjMVmEdxyZe2P5FgCT73CQ1CBZJrDhaPvt7x8yWXTWEZnx6KK8= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json b/WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json index 99cd41573..ec97e8189 100644 --- a/WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json +++ b/WDACConfig/WDACConfig Module Files/Resources/User Configurations/Schema.json @@ -4,8 +4,8 @@ "type": "object", "title": "WDACConfig User Configurations", "description": "WDACConfig User Configurations", - "maxProperties": 8, - "minProperties": 8, + "maxProperties": 9, + "minProperties": 9, "required": [ "SignedPolicyPath", "UnsignedPolicyPath", @@ -14,7 +14,8 @@ "CertificatePath", "StrictKernelPolicyGUID", "StrictKernelNoFlightRootsPolicyGUID", - "LastUpdateCheck" + "LastUpdateCheck", + "StrictKernelModePolicyTimeOfDeployment" ], "properties": { "SignedPolicyPath": { @@ -104,6 +105,17 @@ "examples": [ "2024-01-15T09:11:11.6918283+02:00" ] + }, + "StrictKernelModePolicyTimeOfDeployment": { + "type": [ + "string", + "null" + ], + "default": "", + "title": "The StrictKernelModePolicyTimeOfDeployment Schema", + "examples": [ + "2024-05-15T09:11:11.6918283+02:00" + ] } } } \ No newline at end of file From 75c0d6b830011289daf8394bc2e4f35c2f015c62 Mon Sep 17 00:00:00 2001 From: Violet Date: Sun, 21 Jan 2024 21:38:16 +0200 Subject: [PATCH 08/19] Improved strict kernel-mode policy There is no longer the need to clear the code integrity operational logs in order to audit and deploy a strict kernel mode policy onto a system. --- .../Core/New-KernelModeWDACConfig.psm1 | 57 +++++++++++-------- .../Core/Set-CommonWDACConfig.psm1 | 30 +++++----- .../CoreExt/PSDefaultParameterValues.ps1 | 29 +++++----- .../Shared/Get-KernelModeDriversAudit.psm1 | 38 ++++++------- 4 files changed, 81 insertions(+), 73 deletions(-) diff --git a/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 index 8ace06cdb..1e1c4b2a8 100644 --- a/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 @@ -31,6 +31,9 @@ Function New-KernelModeWDACConfig { # Detecting if Verbose switch is used $PSBoundParameters.Verbose.IsPresent ? ([System.Boolean]$Verbose = $true) : ([System.Boolean]$Verbose = $false) | Out-Null + # Detecting if Debug switch is used, will do debugging actions based on that + $PSBoundParameters.Debug.IsPresent ? ([System.Boolean]$Debug = $true) : ([System.Boolean]$Debug = $false) | Out-Null + # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" @@ -39,9 +42,7 @@ Function New-KernelModeWDACConfig { Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Update-self.psm1" -Force Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Write-ColorfulText.psm1" -Force Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Move-UserModeToKernelMode.psm1" -Force - - # Detecting if Debug switch is used, will do debugging actions based on that - $PSBoundParameters.Debug.IsPresent ? ([System.Boolean]$Debug = $true) : ([System.Boolean]$Debug = $false) | Out-Null + Import-Module -FullyQualifiedName "$ModuleRootPath\Shared\Get-KernelModeDriversAudit.psm1" -Force # if -SkipVersionCheck wasn't passed, run the updater if (-NOT $SkipVersionCheck) { Update-self -InvocationStatement $MyInvocation.Statement } @@ -198,14 +199,13 @@ Function New-KernelModeWDACConfig { Write-Verbose -Message 'Setting the GUID of the Audit mode policy in the User Configuration file' Set-CommonWDACConfig -StrictKernelPolicyGUID $PolicyID | Out-Null + Write-Verbose -Message 'Setting the time of deployment for the policy in the User Configuration file' + Set-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment (Get-Date) | Out-Null + Write-Verbose -Message 'Deploying the Strict Kernel mode policy' &'C:\Windows\System32\CiTool.exe' --update-policy "$PolicyID.cip" -json | Out-Null Write-ColorfulText -Color HotPink -InputText 'Strict Kernel mode policy has been deployed in Audit mode, please restart your system.' - Write-Verbose -Message 'Clearing the Code Integrity operational event logs before system restart so that after reboot it will only have the correct and new logs that belong to the kernel mode drivers' - &'C:\Windows\System32\wevtutil.exe' cl 'Microsoft-Windows-CodeIntegrity/Operational' - &'C:\Windows\System32\wevtutil.exe' cl 'Microsoft-Windows-AppLocker/MSI and Script' - if (!$Debug) { Write-Verbose -Message 'Removing the DefaultWindows_Enforced_Kernel.xml and its CIP file after deployment since -Debug parameter was not used.' Remove-Item -Path '.\DefaultWindows_Enforced_Kernel.xml', ".\$PolicyID.cip" -Force -ErrorAction SilentlyContinue @@ -240,13 +240,16 @@ Function New-KernelModeWDACConfig { $CurrentStep++ Write-Progress -Id 26 -Activity 'Scanning the Event logs' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) + # Get the kernel mode drivers directory path containing symlinks + [System.IO.DirectoryInfo]$KernelModeDriversDirectory = Get-KernelModeDriversAudit + powershell.exe -Command { - Write-Verbose -Message 'Scanning the Event viewer logs for drivers' - $DriverFilesObj = Get-SystemDriver -Audit + Write-Verbose -Message 'Scanning the kernel-mode drivers detected in Event viewer logs' + $DriverFilesObj = Get-SystemDriver -ScanPath $args[0] Write-Verbose -Message 'Creating a policy xml file from the driver files' New-CIPolicy -MultiplePolicyFormat -Level FilePublisher -Fallback None -FilePath '.\DriverFilesScanPolicy.xml' -DriverFiles $DriverFilesObj - } + } -args $KernelModeDriversDirectory $CurrentStep++ Write-Progress -Id 26 -Activity 'Configuring the final policy' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) @@ -299,6 +302,9 @@ Function New-KernelModeWDACConfig { Write-Verbose -Message 'Removing the GUID of the StrictKernelPolicy from user configuration' Remove-CommonWDACConfig -StrictKernelPolicyGUID | Out-Null + + Write-Verbose -Message 'Removing the time of deployment of the StrictKernelPolicy from user configuration' + Remove-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment | Out-Null } else { # Remove the Audit mode policy from the system @@ -309,8 +315,9 @@ Function New-KernelModeWDACConfig { Write-ColorfulText -Color Pink -InputText 'Strict Kernel mode Enforced policy has been created in the current working directory.' } if (!$Debug) { - Write-Verbose -Message 'Removing the DriverFilesScanPolicy.xml and the CIP file because -Debug parameter was not used' + Write-Verbose -Message 'Removing the DriverFilesScanPolicy.xml, CIP file and KernelModeDriversDirectory in Temp folder because -Debug parameter was not used' Remove-Item -Path ".\$PolicyID.cip", '.\DriverFilesScanPolicy.xml' -Force -ErrorAction SilentlyContinue + Remove-Item -Path $KernelModeDriversDirectory -Recurse -Force } Write-Progress -Id 26 -Activity 'Complete.' -Completed } @@ -503,8 +510,8 @@ Function New-KernelModeWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBa4yo5ifQ57ro7 -# HjoaZcWuNoySXj1RawJ7KtVwM2tAbKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCrzXnnA29zD1E2 +# sXklFLsoPYM6Kym7BCBtyYHOEuOO8KCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -551,16 +558,16 @@ Function New-KernelModeWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQg5YFrxDs4epjrcDsnQj5yWYjm3/If9xC3pvRf/Q905yUwDQYJKoZIhvcNAQEB -# BQAEggIAByDHvBGbw2xEmJZLcQQ9evV6bjpuxa8c+SEEjPK6JSccR6P5/SHVTRSd -# ZwGVphiT/apxKzqX4lV6UbVjT1T57eD/N7jwFkpGCFLB/yd8tjURSrEA3xVQhl3i -# 4UYwmzkUe8TWAouChnT+/1hJIYFcAkq/uVFAX1PWfWXOwXZ4UQB36cpr/x0jvPk5 -# aPWfN0iPxJwy9seykLgDaBiQel40D/o6T0Umy7vpkbYM8b1Cg79jSFEYkB7DUPlT -# sYDEmy20zxsdrIED2IZdJYj5yuFJlNiP5M+TS2YFFZVb9pR/4SNP/c0X2Px0BB1G -# RbgmhNKRPf5EPerEHx30dEv7BlqQzT6oBglN9sdqcM13gJVeVNUMhefzTZPoZzwW -# xPhBfvGSLlnAowIO/pti30iinDt/8BhdmxeB6UXVGJnjrdsW3xlsJGCZhgynp/6W -# gul8FODe3kxTtkbPRjjwkgR0vAM6HryLPM5duzFWlOMTGnUxoW56oKP7TugGgzLO -# ZcopziQSIAJyrsXIyhCE1rFIfs84JhvekBdLHOFSlwTqVV0SM5axHpDdXFAed2je -# P4Y5SyKkdU+YY+MuaIHPyLXn8nxRw94G5Julm11cMiDJXdv+4nRtiwS/+17SSjy8 -# iXybEBNZk5YmS3+8KErJZoNiDbqxeYJcDsymlko7GJ85+zSAOus= +# IgQguMbH9iotOtTas2k8+eDSlzmJ5RkuKjtGb8NlYxhrlB0wDQYJKoZIhvcNAQEB +# BQAEggIAjKQmzqREpFV6v/HimHrN3EYxsRm1BRL37kQc8S6KaintVGup8rQptP25 +# USIWZ/aV174RHpTeDe9AmdEyifx4mHxfG/738wpykm8cJa5SbrET1i7cuGbjDArg +# oaSZ5qpaNcURtPm1lUCodZPxw0EgbegUfZa4JQ4b2a/gr54h/bAVpaSvdNEu9M0J +# SwwSWmm7oyM8HssQt5CLZduXOqZdS2cSKXxMRAC1J5jaPss9CpBtmbrVqv6xsJuA +# txUc4S8IFxhAS7Q9K1R/rt/KFhhaQtk1Yez0t4DFNTI4TWcwK5ypGT76vjllcAGw +# 8Isyb1lKlZdL3L4NYTPo0gOO8zkjDvzWnbKA3w5zTNXqXNGZcZYWanf0L4HCSd5L +# mS8z+TOo+TkgXez9PpEy+uC64q6C+/lrksPAL1Qr5Yj+22zhkPhj2WqnVpvc6Y6E +# INUSxlEwRTSPea+fD/ZHEb7/dOFJ1GYrFCKwcywHPAC25iIxqsJtLFfluW87mfHu +# Sj4KdfEf3Yze8Npo42Y5tYqdlMLuQ2gSPf4qR1gMaBtvOHrs+jUT46sDxcGLNuD5 +# gj9D1NHfHidXmHGKTYhAf82AevxoYCXWWm5aTXzSdWaY9CFC7krryljMCwehdF8V +# MHJ+/hYfTPKF4KCCgNRoyI6zHtGdTYeI90bwNyfhlNV59Iag/tI= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 index 835ad66a1..9b51cdde7 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Set-CommonWDACConfig.psm1 @@ -222,7 +222,7 @@ Function Set-CommonWDACConfig { Write-Verbose -Message 'No changes to the Last Update Check property was detected.' $UserConfigurationsObject.LastUpdateCheck = $CurrentUserConfigurations.LastUpdateCheck } - + if ($StrictKernelModePolicyTimeOfDeployment) { Write-Verbose -Message 'Saving the supplied Strict Kernel-Mode Policy Time Of Deployment in user configurations.' $UserConfigurationsObject.StrictKernelModePolicyTimeOfDeployment = $StrictKernelModePolicyTimeOfDeployment @@ -315,8 +315,8 @@ Register-ArgumentCompleter -CommandName 'Set-CommonWDACConfig' -ParameterName 'U # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBHxIiNU7o+q6b9 -# V1eNfRNbU7FA2dSYVsWh2gcoN1WDXaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA78jNLmU+iEoEy +# h9B+CJiL2euTpXBgiYVe2FXzPc2KU6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -363,16 +363,16 @@ Register-ArgumentCompleter -CommandName 'Set-CommonWDACConfig' -ParameterName 'U # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQg5273QWtivzOloetAzDmgj/wLSqrBBkcK87O4cRxbJBUwDQYJKoZIhvcNAQEB -# BQAEggIAY0drdjgbNpX/e8fcAsz7D1uYksXEqa/ERDzQAjZe0FY0kG1Aim/+BERi -# UNvCGJENM4f2Vx91YtbBIGAWhUBURNnfYZXZjhaiR9awjOIg895/nPx9jMe9OBSb -# vdZdF66TPLjPjrG+RHYHYC3bbzxGonwCXYrdgMyMbOAkCBrT4DRGYwpOwgfRxKqh -# y3fr0YxYHhDIAOtvFkPytonNmSk99clycsyjUn3lKPqD3+AE6WMnwwgSMOjTx2Ao -# DLew6hBMLMHakV3EKr3Fjcp7JA2uacRAoDhAfH6+YU5gLbI8WJ1InidN2xk3VnID -# inxL07QdaZ9vpCJyzZJC58EYualO1RZz9QL7xuYuAC6UsHdZy0aLT/aqspPutQFN -# dZSkUJDmocpKMP/RLclCctl4YG8z2SI4D2bw4kEnxjzS4JNmKlqtEm1hcg7KL16k -# rTNbUs44pP2YYzaw4AvPdRvjqfvCIRXsco1BNidV08g6OigKnDp6RiCAvHe+a2RI -# 5kEKeywqyfe9kFc5PzyISu0IHP2VQfmwb5Kip+D8Uqlsx4CPaSsqAG+5nrjyApgD -# 479t2SQUutfkATez2EgT5d+tJ9DU1oI09xzd5/91Pe81WeyqOBrvP9B9O+D3uorZ -# MXjMVmEdxyZe2P5FgCT73CQ1CBZJrDhaPvt7x8yWXTWEZnx6KK8= +# IgQgA+wzKzO/1DYHMPgAx/OHjlgvoLv40MBS3HajFunu4HYwDQYJKoZIhvcNAQEB +# BQAEggIAHdtSShDe9+TmPCeaCDoVGUVN4sbbDiU0SRPVIlu7AglCWBYKH5UQrrA0 +# q5ORdq73Fso4ANee84RyygJB10+qWlJxfi3c1PXpmRzZaiPMezuT+1pPnI5mtGE2 +# bXNrAVVy2hoWK9pvPKy2J0KHxwxRDER/QHUTm8931kXpvmKZcLaAcNPW2tZazyJz +# Yn4FlPijRDLmM1BJ0poBTQl/IVH1mXgY3nKbuQZUqL0MIZiZLSX2p0RNY0YCqkeb +# 8wKv4oLY7LMY16SeIDq9CtCqmH/aD6XvvtW+VyJCTwJWkGz+0lNFLqitiBXuonl6 +# dzS0mfg1TQkLvDJCRuLcTLlyQHAuu3Pmnb1QKRAgVG3ArnCIDZUvEiYC4x0W61Ne +# W5BJK4vE9AIqyrEo0Uy9gH5Y+ieByNYa12Rv5i0gdIqJYeqw7vD9ogUATcb46hlf +# E+TTfXdiDkpNYBmpKXKViOcLYhVGb6a0Ox/wpRqHhXN+hyeoIUGYPep1QwKcTjd5 +# lfwzAgoIHdeDjasjf1aqlbUjYvujr6IpIf7G+ZlQ6sC3f9BdguvAAYOWMlHfhvtN +# fEz4aYYDUPCPXjAVeVvllNiN15WdBAxIHOuAF/YTRmZoa8nyLmRltFyTwcDcOM9y +# gWMgsaZJUfAAh4yX684CL4kAiPJO49ktaS3kprOzzQ1BlYCnOeY= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 b/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 index 25b3dc198..7c52bfa9a 100644 --- a/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 +++ b/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 @@ -26,14 +26,15 @@ $PSDefaultParameterValues = @{ 'New-SnapBackGuarantee:Verbose' = $Verbose 'Compare-SecureStrings:Verbose' = $Verbose 'Get-KernelModeDriversAudit:Verbose' = $Verbose + 'Get-KernelModeDriversAudit:Debug' = $Debug 'Test-Path:ErrorAction' = 'SilentlyContinue' } # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAavzUGHdyJ3I+w -# OIj3l5bxX1qsMhDsElMnxwsFZooSLaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAgRto3IMlcl5ve +# qW85te069cqs4CN8iQ0QfcB/i0RpQ6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -80,16 +81,16 @@ $PSDefaultParameterValues = @{ # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgu8iEkljlv5xO0xI4cExICeQZT/joQoFv2ddHPFszyigwDQYJKoZIhvcNAQEB -# BQAEggIAlQUdwg8+wtYdrpbyscx+grjjQLH7KVm9872qnH7eLnWgDTd+xFnsy6EM -# Zk7pGSyYt+Dx6/oWE9SU2+dCjCOq0/eFyTlhC+Jy4Mt7ZsneBaLWHBzNeI+DT4bM -# qylINYjgHqbMQtgL1rcwH6gZh12UBcVHuNuwyguFSm0SbCZKWEId/Q2A8EAlaf0A -# 2/HUZEs278x5MZ5MBIYP4RKHFLTvxUl3XG+7+OZGBVw7VevCcBXQtjMgKoYxjtt9 -# fHt1unFBeGCzVjEE5i/QEnYucX/uzTIdlk9Aq6nScNXwltdWFQdrZNPkSXtyU5do -# CZH+wbEF9V3IN9ycjtqvNgb3LLhCzGaq4rdXtRZO1Tu5RP70FjILHlftXjYU/45Q -# Jo7hJph1KLZmrCIbrgFRe9F+GBN3uiU6stbiTnDW0oQibXRb+fWrOdB8F1EnxUaG -# g/fbbeoSYOZ0WMhI0exosr8yWJIUAKxKkmIttPvb84B10qTk0uZ4sWtaT68wbj3t -# F3y9t21bXWmZ9vKl/8WgNV0yZwUMyFPpRD4z00v+eHoSfAwGqdqLgyOXgGIYPvv2 -# I55El6cZc2bfdjHi2XFle8ufqNIbUVYDwlq7+GknPMGIqZwH46BMNZj0q+ZBOPeE -# fro+r3uD/Kelphb3TG+djHoBBGwDtUp0zlSZ6dlapMFNJ/IIWVA= +# IgQgfJK0KjlDMNjLakahzmjmu+gkWHQ48qbGargB0ywzT9owDQYJKoZIhvcNAQEB +# BQAEggIAgQWZjDhFqxUg2FyRkLQh46ceo1nweveI5uOT13fB2ZDjX/FHFB03Yir3 +# bT6as/SpRQBpz4JxwIY+XmoWS/iLCjXMQjXNGQ2dKlgeWiFj6jXpmR/09jDNgLZS +# 1C71gs4lHUCzjGazmCJMpNTgaxxqwuuJ3tXOaydKvLMtZydzvuz2sl211jD8Upkr +# GgtRoL8azfZbWss7GD/6d3Vwy7xSFCJQWvhyPH3eCYSPuU5vpSaD6/kGtz3KyCai +# ItECVRdqvqVTmjCFGGVFBy46UXYh00WKkumXQ8HHcrW9EBlVvtrQHr4yjsU+ZDwO +# JatLM+RPgqnwjmuxAcD+WboM4w7C+8vHs+q9yXOn/6IlNFdUpXOoOZJhh8xQrNlj +# pJo199p9knIJllyRVPXu5NFQz9w6yAMgUu4ew5x664zedowGzcwjIBrdSkJG/k4g +# KxszwN5AQ3FXpmdAsD34WRx/6xC6hedLJyLxTYPbty0p69b0i5WAUwgh5Y9RvIdt +# UYaeQg/L8XRKgIFHQYw9eW5VHQZT/fXaCPfnx3IRbytcatmac/Ye670CrBy1ACTV +# REifNsKcriJlkRsFA6HHNWRVsrjTWYO0n1U2Tvmyq+UexviBie4V4Jhu8LkNF8+O +# HloYhwHfvO4FKVQGe+YUqRstGwJRPD1EEjfnTecEild5/teLJBA= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 index 88d4e4d4d..3718478b1 100644 --- a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 +++ b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 @@ -5,14 +5,12 @@ Function Get-KernelModeDriversAudit { .PARAMETER Date The date from which to start the scan .INPUTS - System.DateTime + None .OUTPUTS System.IO.DirectoryInfo #> [CmdletBinding()] - param( - [Parameter(Mandatory = $true)][System.DateTime]$Date - ) + param() begin { # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" @@ -26,11 +24,13 @@ Function Get-KernelModeDriversAudit { [System.IO.FileInfo[]]$KernelModeDriversPaths = @() [System.Object[]]$RawData = @() + + [System.DateTime]$ScanStartDate = Get-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment } process { # Event Viewer Code Integrity logs scan for Audit logs based on the input date - foreach ($event in Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; ID = 3076 } -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.TimeCreated -ge $Date } ) { + foreach ($event in Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; ID = 3076 } -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.TimeCreated -ge $ScanStartDate } ) { # Convert the event to XML $Xml = [System.Xml.XmlDocument]$event.toxml() @@ -92,8 +92,8 @@ Export-ModuleMember -Function 'Get-KernelModeDriversAudit' # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCCVwYUxeLU4oL2 -# u4Zs3B/OfgzrhUfAnEFUA+9IWd96kaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD/0FXBh+t97OM7 +# 4JGmyi5Xjz08jvSf+ZU1KQ6zRKHu36CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -140,16 +140,16 @@ Export-ModuleMember -Function 'Get-KernelModeDriversAudit' # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgcPlRHs4DGAT7Ypsxs7QxZt+D2uYsPGpBEHwPvNY9x6AwDQYJKoZIhvcNAQEB -# BQAEggIAgoBr0TW0sqDUZrlMFQ+SKi5DvoRvwshfwhueYHXKiyWGT/jmhEugjWb+ -# AykKn9zUPxB/t5AVPE6nAtrb8hZvoWxxdcUfiEohjRILFTAHQIP/RvuwMDgtZtDi -# wS16WL+rfWDDReWOuTvdDPnj45YWCs0yzx90wIg73/JTG/RqxBlc6ObK2Pkv2nzQ -# dNA3DQwJbSBXn6BQ7pEXvj4bB0/iPIgcm7clvVjBZNiLu6aTIz7M3PpbZF28xwIb -# SC54U+gf+HJTtbqjRkRJy/AaLZw9WAqS2Yqt04iGX9XWbzkQO9qsLTRc0geF/Aeg -# CPRDer9nh0iaHmI1zcgkXPo7i6EGiyOAML9CspjeH+YoiA/Sfn2rUBRT+0mRIWsv -# ehYOJHCEU2EfC4YpRY81338ndBwjzBkg4vAqUPXcopg/5mO2QNnNha9KMzxVVLOP -# I58mNmJNX4qPRBj5jm175JZ9Cp6An247jo9eD1T/g6Kss21MwgwW8r8tmN16OFg0 -# l4dj/fmEMfyd0/zSZpgN5OVO+S1e+vpCAyy4+Q0tg8vlDdr9A/2Lm2mcO8doDHjG -# n3PR6jhnsyvBPnGWVQsLymPvFYKrA9kms4RgkJGTbz1480qKcONg7QrlSf0fwQFT -# 1YjAPN5Cbx6BFNRRe61kyACWUtyJc65kP1oDJZBPcA5SYZ0Omp8= +# IgQgjmoZoj2rrsuS7Wph5ct7wINVQpO4pan/azq0IuB5tEQwDQYJKoZIhvcNAQEB +# BQAEggIAiOJId3cYQnZ58sNiiSLXtHHYy7xNzfLkZBl93p9djIJRwcUDw4ox21dN +# OI+eIEVYUNUruTdNb4NDLnZWVWvmOjTCfGjGOwOtqFoJbaHPQLotIXTvyxG/yen+ +# r/MklNsNBXmr8ecn3q41RzmdHMZneiDAGB3PdIua9SvvZvAT095FORyITBYWis9t +# Eu5u9xmeccmZYAPCWq+9w7NnRXclFntyq5U4HwfuS4XTwIml+iP6ZRAzVKOjP8Ny +# tekdJtPd1duP51buEKS4Bq9/EvDMOOYyYY/vPUqOr2eHN4egOFOYmUDWQ/ezo7yT +# h2tRDD9+xX71b2u6dLllT0pxrIVkn6Lbbw+mdB1PR7iXrg+WqnvK1MYXvjAdSxX9 +# sEGyRbDpAoliVdslUDJsQUyj8eIFQeKbgrztOruiMBJk47qGZ4UcISQ2QKwES7vL +# /61/3yw1N7UcEFFSsG5diD7DvGcV65mlio56Q9jXrYm2L5IkqnY/8qlP1N4WDJJk +# AV0UCZncuMIGvv5am6VuLN73Bcv1zOTBleh/7zEosNkcyimxN1xpl9eFakOEtnE2 +# xNADstsNev/ONrgI4JNHkCkHbwubFmWvecmxCKAqzjaVZKaxNKqQO81y1FyywvuF +# iHccsKYcpih/ysfasQTQyRfN188I2p2rSlHEDtCQY6O64ke1B7I= # SIG # End signature block From e18d0e9f2598cd360fde2fea39f2e57032182fe7 Mon Sep 17 00:00:00 2001 From: Violet Date: Sun, 21 Jan 2024 21:54:13 +0200 Subject: [PATCH 09/19] Improved help section for Get-KernelModeDriversAudit Improved the function's description by increasing the verbosity and details --- .../Shared/Get-KernelModeDriversAudit.psm1 | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 index 3718478b1..a9f8a5b44 100644 --- a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 +++ b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 @@ -1,9 +1,20 @@ Function Get-KernelModeDriversAudit { <# .DESCRIPTION - This function will scan the Code Integrity event logs for kernel mode drivers that have been loaded and will return a folder containing symbolic links to the driver files. - .PARAMETER Date - The date from which to start the scan + This function will scan the Code Integrity event logs for kernel mode drivers that have been loaded since the audit mode policy has been deployed + and will return a folder containing symbolic links to the driver files. + It does this by: + 1. Scanning the Code Integrity event logs for kernel mode drivers that have been loaded since the audit mode policy has been deployed + 2. Converting the event to XML + 3. Converting the XML to a PowerShell object + 4. Replacing the global root file paths with the drive letters to create consumable paths + 5. Removing duplicates based on SHA256 hash + 6. Saving the file paths to a variable + 7. Filtering based on files that exist with .sys extension + 8. Removing duplicates based on file path + 9. Creating a temporary folder to store the symbolic links to the driver files + 10. Creating symbolic links to the driver files + 11. Returning the folder containing the symbolic links to driver files .INPUTS None .OUTPUTS From bfa505ef2b6a0a3aa97085012c72df6f735024bc Mon Sep 17 00:00:00 2001 From: Violet Date: Mon, 22 Jan 2024 14:50:33 +0200 Subject: [PATCH 10/19] Including dll files in the event log scan --- .../Shared/Get-KernelModeDriversAudit.psm1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 index a9f8a5b44..1c2c1c10a 100644 --- a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 +++ b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 @@ -5,12 +5,12 @@ Function Get-KernelModeDriversAudit { and will return a folder containing symbolic links to the driver files. It does this by: 1. Scanning the Code Integrity event logs for kernel mode drivers that have been loaded since the audit mode policy has been deployed - 2. Converting the event to XML + 2. Converting each event to XML 3. Converting the XML to a PowerShell object 4. Replacing the global root file paths with the drive letters to create consumable paths 5. Removing duplicates based on SHA256 hash 6. Saving the file paths to a variable - 7. Filtering based on files that exist with .sys extension + 7. Filtering based on files that exist with .sys and .dll extensions 8. Removing duplicates based on file path 9. Creating a temporary folder to store the symbolic links to the driver files 10. Creating symbolic links to the driver files @@ -75,8 +75,8 @@ Function Get-KernelModeDriversAudit { Write-Verbose -Message 'Saving the file paths to a variable' [System.IO.FileInfo[]]$KernelModeDriversPaths = $RawData.'File Name' - Write-Verbose -Message 'Filtering based on files that exist with .sys extension' - $KernelModeDriversPaths = $KernelModeDriversPaths | Where-Object -FilterScript { ($_.Extension -eq '.sys') -and ($_.Exists) } + Write-Verbose -Message 'Filtering based on files that exist with .sys and .dll extensions' + $KernelModeDriversPaths = $KernelModeDriversPaths | Where-Object -FilterScript { ($_.Extension -in ('.sys', '.dll')) -and ($_.Exists) } Write-Debug -Message "KernelModeDriversPaths count after filtering based on files that exist with .sys extension: $($KernelModeDriversPaths.count)" From f36a19695ae205a08a1a434ada58602f706086dd Mon Sep 17 00:00:00 2001 From: Violet Date: Mon, 22 Jan 2024 15:03:26 +0200 Subject: [PATCH 11/19] Improved no flight root kernel mode policy No flight root kernel mode policy also no longer requires clearing code integrity operational logs --- .../Core/New-KernelModeWDACConfig.psm1 | 21 +++++++++++-------- .../Shared/Get-KernelModeDriversAudit.psm1 | 5 +++-- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 index 1e1c4b2a8..a8d634f88 100644 --- a/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 @@ -199,7 +199,7 @@ Function New-KernelModeWDACConfig { Write-Verbose -Message 'Setting the GUID of the Audit mode policy in the User Configuration file' Set-CommonWDACConfig -StrictKernelPolicyGUID $PolicyID | Out-Null - Write-Verbose -Message 'Setting the time of deployment for the policy in the User Configuration file' + Write-Verbose -Message 'Setting the time of deployment for the audit mode policy in the User Configuration file' Set-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment (Get-Date) | Out-Null Write-Verbose -Message 'Deploying the Strict Kernel mode policy' @@ -350,14 +350,13 @@ Function New-KernelModeWDACConfig { Write-Verbose -Message 'Setting the GUID of the Audit mode policy in the User Configuration file' Set-CommonWDACConfig -StrictKernelNoFlightRootsPolicyGUID $PolicyID | Out-Null + Write-Verbose -Message 'Setting the time of deployment for the audit mode policy in the User Configuration file' + Set-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment (Get-Date) | Out-Null + Write-Verbose -Message 'Deploying the Strict Kernel mode policy' &'C:\Windows\System32\CiTool.exe' --update-policy "$PolicyID.cip" -json | Out-Null Write-ColorfulText -Color HotPink -InputText 'Strict Kernel mode policy with no flighting root certs has been deployed in Audit mode, please restart your system.' - Write-Verbose -Message 'Clearing the Code Integrity operational event logs before system restart so that after reboot it will only have the correct and new logs that belong to the kernel mode drivers' - &'C:\Windows\System32\wevtutil.exe' cl 'Microsoft-Windows-CodeIntegrity/Operational' - &'C:\Windows\System32\wevtutil.exe' cl 'Microsoft-Windows-AppLocker/MSI and Script' - if (!$Debug) { Write-Verbose -Message 'Removing the DefaultWindows_Enforced_Kernel_NoFlights.xml and its CIP file after deployment since -Debug parameter was not used.' Remove-Item -Path '.\DefaultWindows_Enforced_Kernel_NoFlights.xml', ".\$PolicyID.cip" -Force -ErrorAction SilentlyContinue @@ -392,13 +391,16 @@ Function New-KernelModeWDACConfig { $CurrentStep++ Write-Progress -Id 28 -Activity 'Scanning the Event logs' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) + # Get the kernel mode drivers directory path containing symlinks + [System.IO.DirectoryInfo]$KernelModeDriversDirectory = Get-KernelModeDriversAudit + powershell.exe -Command { - Write-Verbose -Message 'Scanning the Event viewer logs for drivers' - $DriverFilesObj = Get-SystemDriver -Audit + Write-Verbose -Message 'Scanning the kernel-mode drivers detected in Event viewer logs' + $DriverFilesObj = Get-SystemDriver -ScanPath $args[0] Write-Verbose -Message 'Creating a policy xml file from the driver files' New-CIPolicy -MultiplePolicyFormat -Level FilePublisher -Fallback None -FilePath '.\DriverFilesScanPolicy.xml' -DriverFiles $DriverFilesObj - } + } -args $KernelModeDriversDirectory $CurrentStep++ Write-Progress -Id 28 -Activity 'Creating the final policy' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) @@ -461,8 +463,9 @@ Function New-KernelModeWDACConfig { Write-ColorfulText -Color Pink -InputText 'Strict Kernel mode Enforced policy with no flighting root certs has been created in the current working directory.' } if (!$Debug) { - Write-Verbose -Message 'Removing the DriverFilesScanPolicy.xml and the CIP file because -Debug parameter was not used' + Write-Verbose -Message 'Removing the DriverFilesScanPolicy.xml, CIP file and KernelModeDriversDirectory in Temp folder because -Debug parameter was not used' Remove-Item -Path ".\$PolicyID.cip", '.\DriverFilesScanPolicy.xml' -Force -ErrorAction SilentlyContinue + Remove-Item -Path $KernelModeDriversDirectory -Recurse -Force } Write-Progress -Id 28 -Activity 'Complete.' -Completed } diff --git a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 index 1c2c1c10a..4336e84ba 100644 --- a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 +++ b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 @@ -22,6 +22,7 @@ Function Get-KernelModeDriversAudit { #> [CmdletBinding()] param() + begin { # Importing the $PSDefaultParameterValues to the current session, prior to everything else . "$ModuleRootPath\CoreExt\PSDefaultParameterValues.ps1" @@ -41,10 +42,10 @@ Function Get-KernelModeDriversAudit { process { # Event Viewer Code Integrity logs scan for Audit logs based on the input date - foreach ($event in Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; ID = 3076 } -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.TimeCreated -ge $ScanStartDate } ) { + foreach ($Event in Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; ID = 3076 } -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.TimeCreated -ge $ScanStartDate } ) { # Convert the event to XML - $Xml = [System.Xml.XmlDocument]$event.toxml() + $Xml = [System.Xml.XmlDocument]$Event.toxml() # Convert the XML to a PowerShell object $Xml.event.eventdata.data | ForEach-Object -Begin { $Hash = @{} } -Process { $Hash[$_.name] = $_.'#text' } -End { [pscustomobject]$Hash } | ForEach-Object -Process { From 9a301562cc380742ef0463bae5b8a51b03bf5519 Mon Sep 17 00:00:00 2001 From: Violet Date: Mon, 22 Jan 2024 18:36:05 +0200 Subject: [PATCH 12/19] Improvements to the debug messages --- .../Core/New-KernelModeWDACConfig.psm1 | 28 ++++++++-------- .../Shared/Get-KernelModeDriversAudit.psm1 | 32 ++++++++++--------- 2 files changed, 31 insertions(+), 29 deletions(-) diff --git a/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 index a8d634f88..9654a4a17 100644 --- a/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 @@ -513,8 +513,8 @@ Function New-KernelModeWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCrzXnnA29zD1E2 -# sXklFLsoPYM6Kym7BCBtyYHOEuOO8KCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCYiRetnOXMCIlU +# 25jr/1/XKzQFAb9+QJG7rIH27eBRN6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -561,16 +561,16 @@ Function New-KernelModeWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQguMbH9iotOtTas2k8+eDSlzmJ5RkuKjtGb8NlYxhrlB0wDQYJKoZIhvcNAQEB -# BQAEggIAjKQmzqREpFV6v/HimHrN3EYxsRm1BRL37kQc8S6KaintVGup8rQptP25 -# USIWZ/aV174RHpTeDe9AmdEyifx4mHxfG/738wpykm8cJa5SbrET1i7cuGbjDArg -# oaSZ5qpaNcURtPm1lUCodZPxw0EgbegUfZa4JQ4b2a/gr54h/bAVpaSvdNEu9M0J -# SwwSWmm7oyM8HssQt5CLZduXOqZdS2cSKXxMRAC1J5jaPss9CpBtmbrVqv6xsJuA -# txUc4S8IFxhAS7Q9K1R/rt/KFhhaQtk1Yez0t4DFNTI4TWcwK5ypGT76vjllcAGw -# 8Isyb1lKlZdL3L4NYTPo0gOO8zkjDvzWnbKA3w5zTNXqXNGZcZYWanf0L4HCSd5L -# mS8z+TOo+TkgXez9PpEy+uC64q6C+/lrksPAL1Qr5Yj+22zhkPhj2WqnVpvc6Y6E -# INUSxlEwRTSPea+fD/ZHEb7/dOFJ1GYrFCKwcywHPAC25iIxqsJtLFfluW87mfHu -# Sj4KdfEf3Yze8Npo42Y5tYqdlMLuQ2gSPf4qR1gMaBtvOHrs+jUT46sDxcGLNuD5 -# gj9D1NHfHidXmHGKTYhAf82AevxoYCXWWm5aTXzSdWaY9CFC7krryljMCwehdF8V -# MHJ+/hYfTPKF4KCCgNRoyI6zHtGdTYeI90bwNyfhlNV59Iag/tI= +# IgQgiXRwvvsbe3wS1CHe2FGdxHtMv9bNhAe5prVrtCJvtJQwDQYJKoZIhvcNAQEB +# BQAEggIAnegUfShgYbzvccCdGs6plCoj6MKKxeKKGZ3lXi/aQoB9clRa6Kt7Xjfp +# wHHzxqX0T3szSFixNaiZrKV2shSWSijhRH8jv34h8tcME2dD5tR45xjGvc3ogB05 +# idXR0mp+cQyrE3Z+lcUkAB+ewdvsXw/jE/uwFr+ZwFlgZFfS7thHaNfL9MBJW5jP +# RNtwYME5cVNxR2VUcUgEt9vON6h6yTqhAbzkieHBsxSZQS7xncaWHRTqyakQEzst +# g+XpuNyot94ykhrHUBxJ1WWjxI6yfRJRWaEBTPCSi3sEguV+1acEsCNNxl7BFSNM +# LZLSwsjSFZOR+JeOqNz49GRVf0lLn7KGdujJkteoRDKZwltZ2FSHJboLhq/M8SBa +# 5ns/GlpwuuyepXphmtG4pPW/EjMxgxVdgo6wadur5ksjdLFUKdlqOsM+TCNoNrtH +# +Bn51etxnGeYGK41yv4xF2WvcZCgn4SVa3bZewdjoSZDoBI0asxPdFvZkecuMz+k +# obkaI+yqFFF8ozwowjChhfXJQIBR5yw2nRsQAgX6zf4sIrAqh5TRtRCeoJqvOTqL +# aIuWFc6Bi+fboUCquZ8AiZwuFkGJ0TY3kbl53/jCzEtgTcx+J4BlMhs6ZxCm9hE2 +# UaUuRpX9YmnnVbEn3v1IfHonC4KEHweGFid4Nn8HzwR7JgcVyLA= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 index 4336e84ba..69f55d763 100644 --- a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 +++ b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 @@ -19,6 +19,8 @@ Function Get-KernelModeDriversAudit { None .OUTPUTS System.IO.DirectoryInfo + .NOTES + Get-SystemDriver only includes .sys files, but Get-KernelModeDriversAudit function includes .dll files as well just in case since they appear in event logs when auditing kernel-mode files. #> [CmdletBinding()] param() @@ -79,7 +81,7 @@ Function Get-KernelModeDriversAudit { Write-Verbose -Message 'Filtering based on files that exist with .sys and .dll extensions' $KernelModeDriversPaths = $KernelModeDriversPaths | Where-Object -FilterScript { ($_.Extension -in ('.sys', '.dll')) -and ($_.Exists) } - Write-Debug -Message "KernelModeDriversPaths count after filtering based on files that exist with .sys extension: $($KernelModeDriversPaths.count)" + Write-Debug -Message "KernelModeDriversPaths count after filtering based on files that exist with .sys and .dll extensions: $($KernelModeDriversPaths.count)" Write-Verbose -Message 'Removing duplicates based on file path' $KernelModeDriversPaths = $KernelModeDriversPaths | Group-Object -Property 'FullName' | ForEach-Object -Process { $_.Group[0] } @@ -104,8 +106,8 @@ Export-ModuleMember -Function 'Get-KernelModeDriversAudit' # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD/0FXBh+t97OM7 -# 4JGmyi5Xjz08jvSf+ZU1KQ6zRKHu36CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDFOfK0ETLQSgmo +# 2FNRa5LBFF7irEPqHfewdPH3LTcGMKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -152,16 +154,16 @@ Export-ModuleMember -Function 'Get-KernelModeDriversAudit' # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgjmoZoj2rrsuS7Wph5ct7wINVQpO4pan/azq0IuB5tEQwDQYJKoZIhvcNAQEB -# BQAEggIAiOJId3cYQnZ58sNiiSLXtHHYy7xNzfLkZBl93p9djIJRwcUDw4ox21dN -# OI+eIEVYUNUruTdNb4NDLnZWVWvmOjTCfGjGOwOtqFoJbaHPQLotIXTvyxG/yen+ -# r/MklNsNBXmr8ecn3q41RzmdHMZneiDAGB3PdIua9SvvZvAT095FORyITBYWis9t -# Eu5u9xmeccmZYAPCWq+9w7NnRXclFntyq5U4HwfuS4XTwIml+iP6ZRAzVKOjP8Ny -# tekdJtPd1duP51buEKS4Bq9/EvDMOOYyYY/vPUqOr2eHN4egOFOYmUDWQ/ezo7yT -# h2tRDD9+xX71b2u6dLllT0pxrIVkn6Lbbw+mdB1PR7iXrg+WqnvK1MYXvjAdSxX9 -# sEGyRbDpAoliVdslUDJsQUyj8eIFQeKbgrztOruiMBJk47qGZ4UcISQ2QKwES7vL -# /61/3yw1N7UcEFFSsG5diD7DvGcV65mlio56Q9jXrYm2L5IkqnY/8qlP1N4WDJJk -# AV0UCZncuMIGvv5am6VuLN73Bcv1zOTBleh/7zEosNkcyimxN1xpl9eFakOEtnE2 -# xNADstsNev/ONrgI4JNHkCkHbwubFmWvecmxCKAqzjaVZKaxNKqQO81y1FyywvuF -# iHccsKYcpih/ysfasQTQyRfN188I2p2rSlHEDtCQY6O64ke1B7I= +# IgQgsfJ1nVHY3ovcuLL+nonOJ8oeTAq40SvIw2yJG9aSvTAwDQYJKoZIhvcNAQEB +# BQAEggIAm2C8NlNVS5gQnwGEdui7gOyxGG/OpbB8VT+0vINtQeRS3OH+g4VPXjTn +# lqtEWYBrzvB+gmh7uW81lkWTo8ffOSstnHzzsd/znkyxIEOHNuTO71hPcY7t1zNO +# 0mj3UqfhbnGNnUnXkG9h+tCIrN/PH+5ooLhm4td3xXK2BEy2Kt6GsoBDMMoHHhNy +# VZFexpLMkIaFPfRNFcu4m6PeotgDcvslPc6V4mNDCEfee4+AHh/1+cD2hHM89ist +# 6b/w2PLsgaNGOqHEZscXDsw8nSaf+cT40YEmtvOAezXn0M3LT6izW+ME9RR80t5L +# h+K46g+lrC+6WDhGXCw2Smv0z7wTHikfKcmHbMwxm+z79XRRo8VXBzvOHBD+wAMr +# 3ozCJtzKFBaVlh4DRPytx4pSHY2KUKvncCS2u6BamYkcd3SaOiNEPN/823uEjY2C +# SDfO5/Dk4cNn78NSuE0AQEPmCACWLgK664LjMRxwROx7pdjzJ0My2KEjVl84skCe +# 4egSjFmhbnK8EqMxu0lVkPmx14gm8N1T6Tvz5X5oH4lGQ/4m/87SUv/Q+DAosJk4 +# CcL7KlYSs9vsywJy92UGTJEzKfXR9KbFK6dZ/M2ZprfNrOwqy/1hDI8W7U+Pborx +# wPXCOm/Xtyz36YzVY0WZy8jiCCT/fn/PR/tjexwMclSKNsiFBcY= # SIG # End signature block From 9a2415954b8146421290abe2415721e6ff0f05f8 Mon Sep 17 00:00:00 2001 From: Violet Date: Mon, 22 Jan 2024 19:19:12 +0200 Subject: [PATCH 13/19] Updated Kernel-mode policy XML files The updated files have none of the unnecessary rules and are much smaller. The old files have been moved to an archived folder for informational purposes. --- .../DefaultWindows_Enforced_Kernel.xml | 155 ++++++++++++++++++ ...faultWindows_Enforced_Kernel_NoFlights.xml | 131 +++++++++++++++ .../WDAC Policies - Archived/Readme.md | 3 + .../DefaultWindows_Enforced_Kernel.xml | 82 +-------- ...faultWindows_Enforced_Kernel_NoFlights.xml | 73 +-------- 5 files changed, 305 insertions(+), 139 deletions(-) create mode 100644 WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel.xml create mode 100644 WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml create mode 100644 WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/Readme.md diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel.xml new file mode 100644 index 000000000..757a47255 --- /dev/null +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel.xml @@ -0,0 +1,155 @@ + + + 10.0.3.0 + {0510F47B-39BB-43BB-85AA-348FB15CE9C6} + {0510F47B-39BB-43BB-85AA-348FB15CE9C6} + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + DefaultWindowsEnforced + + + + + 022422 + + + + \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml new file mode 100644 index 000000000..720710135 --- /dev/null +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml @@ -0,0 +1,131 @@ + + + 10.0.3.0 + {0510F47B-39BB-43BB-85AA-348FB15CE9C6} + {0510F47B-39BB-43BB-85AA-348FB15CE9C6} + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + DefaultWindowsEnforced + + + + + 022422 + + + + \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/Readme.md b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/Readme.md new file mode 100644 index 000000000..906b5a54b --- /dev/null +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/Readme.md @@ -0,0 +1,3 @@ +The following XML files are for strict kernel-mode type policies prior to using the Merge-CIPolicy cmdlet which helps to automatically remove the non-kernel-mode EKUs, Singer etc. + +These policies are no longer used by the WDACConfig module and are just kept for informational purposes. \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml index 757a47255..75af66b78 100644 --- a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml @@ -8,18 +8,12 @@ - - - - - - @@ -29,18 +23,12 @@ - - - - - - - + + + - - - + @@ -55,7 +43,6 @@ - @@ -68,45 +55,9 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - @@ -120,26 +71,9 @@ - - - - - - - - 0 + + + 0 diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml index 720710135..1ecce6eda 100644 --- a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml @@ -8,18 +8,12 @@ - - - - - - @@ -29,18 +23,12 @@ - - - - - - - + + + - - - + @@ -55,37 +43,9 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - @@ -96,26 +56,9 @@ - - - - - - - - 0 + + + 0 From 63c9fbcd21600b986c07418fb7f458812ff0dbd7 Mon Sep 17 00:00:00 2001 From: Violet Date: Mon, 22 Jan 2024 19:22:45 +0200 Subject: [PATCH 14/19] Updated manifest file for the new archived folder The folder that contains the archived policies. Also removed the space in the folder name. --- .../DefaultWindows_Enforced_Kernel.xml | 0 .../DefaultWindows_Enforced_Kernel_NoFlights.xml | 0 .../Readme.md | 0 WDACConfig/WDACConfig Module Files/WDACConfig.psd1 | 3 +++ 4 files changed, 3 insertions(+) rename WDACConfig/WDACConfig Module Files/Resources/{WDAC Policies - Archived => WDAC Policies-Archived}/DefaultWindows_Enforced_Kernel.xml (100%) rename WDACConfig/WDACConfig Module Files/Resources/{WDAC Policies - Archived => WDAC Policies-Archived}/DefaultWindows_Enforced_Kernel_NoFlights.xml (100%) rename WDACConfig/WDACConfig Module Files/Resources/{WDAC Policies - Archived => WDAC Policies-Archived}/Readme.md (100%) diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/DefaultWindows_Enforced_Kernel.xml similarity index 100% rename from WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel.xml rename to WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/DefaultWindows_Enforced_Kernel.xml diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml similarity index 100% rename from WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml rename to WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/DefaultWindows_Enforced_Kernel_NoFlights.xml diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/Readme.md b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/Readme.md similarity index 100% rename from WDACConfig/WDACConfig Module Files/Resources/WDAC Policies - Archived/Readme.md rename to WDACConfig/WDACConfig Module Files/Resources/WDAC Policies-Archived/Readme.md diff --git a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 index b95ddbcff..9b678d200 100644 --- a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 +++ b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 @@ -203,6 +203,9 @@ To get help and syntax on PowerShell console, type: 'Resources\WDAC Policies\DefaultWindows_Enforced_Kernel.xml', 'Resources\WDAC Policies\DefaultWindows_Enforced_Kernel_NoFlights.xml', 'Resources\User Configurations\Schema.json', + 'Resources\WDAC Policies-Archived\DefaultWindows_Enforced_Kernel.xml' + 'Resources\WDAC Policies-Archived\DefaultWindows_Enforced_Kernel_NoFlights.xml' + 'Resources\WDAC Policies-Archived\Readme.md' 'Shared\Confirm-CertCN.psm1', 'Shared\Get-AuditEventLogsProcessing.psm1', 'Shared\Get-BlockRulesMeta.psm1', From 4efafd34820d654e8b427ef8342a6b9b7f46bcac Mon Sep 17 00:00:00 2001 From: Violet Date: Mon, 22 Jan 2024 19:24:49 +0200 Subject: [PATCH 15/19] Updated file hashes For the built-in Integrity checker cmdlet --- WDACConfig/Utilities/Hashes.csv | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/WDACConfig/Utilities/Hashes.csv b/WDACConfig/Utilities/Hashes.csv index 29a0ef783..3aa74e4dd 100644 --- a/WDACConfig/Utilities/Hashes.csv +++ b/WDACConfig/Utilities/Hashes.csv @@ -1,33 +1,38 @@ "RelativePath","FileName","FileHash" -"Preloader.ps1","Preloader.ps1","F1F40E2738FF0F1F0F93AAE43F54031AC26EF1A08B5FBC826411E94E7B9C92D2EBC814FE5717261B078BEF8097281C96871827B3AC4599B31ED0FBB0651B87B2" -"WDACConfig.psd1","WDACConfig.psd1","F3056970C5CD4BAD3A1DF089F43D0AEA4DC8C0DC5B5BE5A0CD1C2645CCA71E46BCA2FC6376A19A6D4E975B6C77506D293E32A136C18CBC6C34EA784E69DC5758" +"Preloader.ps1","Preloader.ps1","D5E35977A380E4BE020F350AED651746735B3B2F48DDD3E77D4E4C16E5DDE2AB56D879B61BE15009AAD2355F5A17C173D290286A200D880CBB6B82A6B593D98F" +"WDACConfig.psd1","WDACConfig.psd1","AA81D237642E04934294B38A3683F4123E19F3A553808D30E0873BAB33E4BB4C314586CB42C38C2ACEC695436EA2050EDF35CFC027CD82EC62E6A2A113C5EA28" "WDACConfig.psm1","WDACConfig.psm1","AEDE7DF34183CD06AD7F045841E70F5B10EC068A1CC8F7B6E647E6880A5C55BAD68ED318992DA0146EB2F58B8C19FFF92DA44AE470D25EAF4C19B19F6E504FEA" "Core\Assert-WDACConfigIntegrity.psm1","Assert-WDACConfigIntegrity.psm1","A7A3D806DC2637DA1DB24F1A4DE40CEC33AF16240C15FF82B105C805A5CD7EB94362E0D283826E49F24D9E7B1CB99A6986B98E771193E10622EDAE5837FBC807" -"Core\Build-WDACCertificate.psm1","Build-WDACCertificate.psm1","94C17957C5B59B0AA2978B066E085D988D436BF8258BB92AC35D0FFF5CA7F0E2F5D50C60FE53E438E4E87962D02C82DA8781CADB6419F8D6F423F7068E909E32" +"Core\Build-WDACCertificate.psm1","Build-WDACCertificate.psm1","62E0C97C69E098F801318F23A057F58C9006AB62071B4A3FA0146122975C7C71AB798E43B93FC2DB570AFA3CF530C7C46D4D9A09493FC9EDD9A6C43586ABE145" "Core\Confirm-WDACConfig.psm1","Confirm-WDACConfig.psm1","F05B9C7CD1BCB4BFF4C447013326EE41CF6C6D52C48AC0A057EE6862E7E4F3748A9948E991B765454F9367695E2752BDE3000211642D7537EC603D1AF7D25487" -"Core\Deploy-SignedWDACConfig.psm1","Deploy-SignedWDACConfig.psm1","0CD85ECE98C13599C1163F66B97AB3501C41127E4DDC8153EE0D3ABCB303E81BB30EC7DABED52C3E3460BDEFDAA54B490B8C1A8AB8CBF2352AF647337F557A95" -"Core\Edit-SignedWDACConfig.psm1","Edit-SignedWDACConfig.psm1","CC0F59F5EFC695C4680493F08E03CC6D8C80C915671C5B4A63C890415494144B332DAE52AB743BCF567709C37B39F91B3EC8D0A2821ADCA93C81A30F74414DA6" +"Core\Deploy-SignedWDACConfig.psm1","Deploy-SignedWDACConfig.psm1","6E300258BAEDA5787441A11AF492C4D814611789974B1D59BC0C4BCC98724DCE66C6334ED541AD5DE52C497A9BC586C66F02CC87231B8D5F14603F8632711C94" +"Core\Edit-SignedWDACConfig.psm1","Edit-SignedWDACConfig.psm1","D9B79D3D4D7F9B5D5C0608F95FA74827BC1F8CF30F78FA5A4054B4B17FCC83F6EAA87C391857419DFC8D8A26650113D4560FE0C51E5BAB0561744AEB926E191D" "Core\Edit-WDACConfig.psm1","Edit-WDACConfig.psm1","486F2426F5CD714B0717B256B335A5D98D414761846A08A54CD509406E0B291EB55BF7EE7704A5797C3E90DBCAFD804ED52D89EFF6CED9A175717BDC7A3B384A" -"Core\Get-CommonWDACConfig.psm1","Get-CommonWDACConfig.psm1","EAE580A6DB1F1C9A3A61934EF545D5E14F570A7A3D8365E01C4C35D7E9DA77530EED319623E40DC3A1BC648A76CF2B715091B0644306CC3B1C5F7EF1E262FB57" +"Core\Get-CommonWDACConfig.psm1","Get-CommonWDACConfig.psm1","B79D46BDD63E54902F3CDD14F108F0CB01E213F9C78CEE6A9578F04502F2224E2640D8857BCB47EE6B1FFF7357C62AE2A68BE1F4FA1CA232AFC4442092F87A4E" "Core\Invoke-WDACSimulation.psm1","Invoke-WDACSimulation.psm1","694D9BD5B7288F9A36287EAD454A7B28698CCD92BF83C36DE08FED77EA0AF49E47189A182C83E83A8519BA893BF65B2673CD24D066C9DD6AEDF68084023346BE" "Core\New-DenyWDACConfig.psm1","New-DenyWDACConfig.psm1","B1954DD6D0C20C73624C4040C222A6EBA03B141D80391788A39E9995D8D3729BB0A76A4FE571AC8EEAFAFCBB679743C08B58947B13AB3E57B884861BDB9170A2" -"Core\New-KernelModeWDACConfig.psm1","New-KernelModeWDACConfig.psm1","B9553F48A29FA2847C50BC7AB2244FC06B9731DE645ABA1D0BF1E198D565D7A3FF7893C38415D43C38D83A78AC5B0800192581605D8F22BF5315F7612F06C2BD" +"Core\New-KernelModeWDACConfig.psm1","New-KernelModeWDACConfig.psm1","2DB75E59C6AD0CF75DBF7BEC24FB1C43E1BFE443F3E2D9C49AA4D19EE4FACDFE4687D476664991C4744D758B2CD6B11A6AE1C9C56150CE9315EB3A1B273D3E52" "Core\New-SupplementalWDACConfig.psm1","New-SupplementalWDACConfig.psm1","E6F44921A45D36EA3D6238368E623505EDD97F8040AF4A654C3A0FDAD9D29A4839DF4340B3A33AE896305DD6FBD01D68FCB740356AA33917652A8AF742098E49" "Core\New-WDACConfig.psm1","New-WDACConfig.psm1","6ACC7BA93FD208862A99F2FF085528EAF45DF1F29DC6C5246F399857016B0D834D4D67F715DBBB47FED6F59DBC4D217161D0088099D9738670B8F539720B1A04" -"Core\Remove-CommonWDACConfig.psm1","Remove-CommonWDACConfig.psm1","9030EC9E484712DE3AC85B8B17F3BFE04B652784F8370F6A5DA302C32DC24E8A95C542ACA006324BD2196C4C9D7AA9CDD12BFD7378B1C4988052EC396D491E0E" -"Core\Remove-WDACConfig.psm1","Remove-WDACConfig.psm1","894176AD4C01B2A6AC560DF86DE0595AE6B9B825071792DFDF011F48FF922D5B868C9DD35E3FAC915563FEC040C207B62D570EEAADD0ECA67B33584086EE7E18" -"Core\Set-CommonWDACConfig.psm1","Set-CommonWDACConfig.psm1","DE8D29FB24A003D94970E5C930477DC0F781CC7A22B88AD7065726391FAB4B6966108BC05BAAEB2757786A65E75E18A4A971E3B1F3AB0464E81FF17967D04378" -"CoreExt\PSDefaultParameterValues.ps1","PSDefaultParameterValues.ps1","73431C5710BE03621DAF4C9D563CC770C5AF4927DA534F49B5E3DAE79E2A834EBE910188E1BDF4FE5AA8DCBD3244C10889B922CE271CC0D2ED55723B3C476876" +"Core\Remove-CommonWDACConfig.psm1","Remove-CommonWDACConfig.psm1","7C6D6EC1BF203D40664783F4A60FDC937B08FEFB2383F7943846BEFD8251340C168C3BB0C16204C052755F027C9F2711DF66C42423C9284FFA4517978D6C59C8" +"Core\Remove-WDACConfig.psm1","Remove-WDACConfig.psm1","5661413F6C806BAE9DE8CE9950C0BAEA50D51414EEEBE80A6907F6D12F8CF31678D8F8CED51A87499BCC2F866DC2FFBE935A05837D6796420A4BDA0050DEFBCA" +"Core\Set-CommonWDACConfig.psm1","Set-CommonWDACConfig.psm1","62B5E45C58685785EF11F1B281199039FCC32FD3DAC83F20956E8F75499BA5CE92B5DB8731F2DE9CFAF767851C68DDB86ECA6F64F9D6D21CC4B05818EFD2ACE5" +"CoreExt\PSDefaultParameterValues.ps1","PSDefaultParameterValues.ps1","E038AD0408E6DC83257F774ACC1DAC8E92D9E1656F7925419DD5AAC11AE4F5F90308BBFFA57BCB7E44616EF0D6D0753EBC7122EE8A6F6B83CA6766194454277C" "Resources\ArgumentCompleters.ps1","ArgumentCompleters.ps1","0471552A03BCF16D55C754C8B2C54B5809A211CFB33E00A53B0C3722F65C6E30BA49C371813343839A7AB86B4D2AEE4136521FE31FA5303548132878FC4A1173" "Resources\Resources2.ps1","Resources2.ps1","404722F31CE73E6C89C623917B8A05AE806E34016EDC2105BD0D2659A8273CE9620282A1C38F0808F2CEC1BA71620F9609DD20F1A91A00217344A6EA687EB35E" -"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel_NoFlights.xml","DefaultWindows_Enforced_Kernel_NoFlights.xml","D02BCCFA3C35E179A634AFCDE04259C43F8FBD619A4D0D2F7BAC1A8A9FBC58D3EBC7EE89B1B2EC6B3C17BD6EC38ADB501B271AEA3037B980D10EAB9AFA3B8308" -"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel.xml","DefaultWindows_Enforced_Kernel.xml","BDC7B623386570F383B4A113BF06C7FF6A5A4271AFE572B5D68EEBC161CD650B62E70636527DFBEF09A8F95E66899CEEC424AA22CD00BBEF6D7888759D812F8D" +"Resources\User Configurations\Schema.json","Schema.json","9A20EF0148D298178B35C1AAB961C46AF62BBCC0BB0DCCBE63F2FE08E0A764406267449CDD686A01F85650622DA6E690D12FBB88BB3A7E070BA58C1AF8FBC813" +"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel_NoFlights.xml","DefaultWindows_Enforced_Kernel_NoFlights.xml","0DF84E416ADCFB4C423D61BD71902B521B7ED7EADE2837BC41B443C1E0EEEECFE0C66193750455E96800D98374953B129ED0315EB03AFB2AF8D0C922871A223D" +"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel.xml","DefaultWindows_Enforced_Kernel.xml","BF0804A93A8B940FBDF04792E177E41AB669567FBEE78FFD51DE963856EBE3C43DC5ED577446477CF4ED83368F7DE8E4AA399AC54D844C4ED8907D0DEAB7A94B" +"Resources\WDAC Policies-Archived\DefaultWindows_Enforced_Kernel_NoFlights.xml","DefaultWindows_Enforced_Kernel_NoFlights.xml","D02BCCFA3C35E179A634AFCDE04259C43F8FBD619A4D0D2F7BAC1A8A9FBC58D3EBC7EE89B1B2EC6B3C17BD6EC38ADB501B271AEA3037B980D10EAB9AFA3B8308" +"Resources\WDAC Policies-Archived\DefaultWindows_Enforced_Kernel.xml","DefaultWindows_Enforced_Kernel.xml","BDC7B623386570F383B4A113BF06C7FF6A5A4271AFE572B5D68EEBC161CD650B62E70636527DFBEF09A8F95E66899CEEC424AA22CD00BBEF6D7888759D812F8D" +"Resources\WDAC Policies-Archived\Readme.md","Readme.md","E85639EA8A88E40100AC46DFF72493E1D7A4FC600562C773A04BEF1EBCAA165AD2023E3808B3A5837186DC40C97AC2CB7FA5B2166A3957644ACAC91C9819ACC8" "Shared\Compare-SecureString.psm1","Compare-SecureString.psm1","3E6056CE0145967126305BFDAE43221718BFF53A35DAF51546F4030D93D632E438D1B25EF79A76E06A3290FE4444926554439EF73BEABEC4908D7DFA6CF98D2F" -"Shared\Confirm-CertCN.psm1","Confirm-CertCN.psm1","A17FC6FF9E0AA3B6857500B21F7A2A7005052BDB917C260DE1415232A3B659B973D44C98AAFA982AA7989C9FCAC10311B3EA25F0F285636D6B0813E70D2B2935" +"Shared\Confirm-CertCN.psm1","Confirm-CertCN.psm1","D1B8D1D32D4BBB2237046274EDBD5F6BCE441974E1CFFA0BCC661A4E07DD9C5EAB76F827FFC4F1A5A365A7A23BF464C42C33D9C58E813E23CD5729614AB35C1C" "Shared\Get-AuditEventLogsProcessing.psm1","Get-AuditEventLogsProcessing.psm1","150ED44874AB49D3B80BBD9B65374D82E47EE5A6CFB02A5CFF0DC112D393B49F635B9859B63A83A1E035877A356EE63582E526CF14A39343AB15821DBD9E1C3E" "Shared\Get-BlockRulesMeta.psm1","Get-BlockRulesMeta.psm1","7A13D5608848E82D77EC587BEB4781FCD116858CDEBBA3052F4137E4A6080EB1572EFA5BB7EB184C9D69E2873588D593F8B3AAB6FD874B3E112E6266D42DC399" "Shared\Get-FileRules.psm1","Get-FileRules.psm1","C8A2E0F9F1376D46FA3ADD925F73978C7CC17B4F1EC72C95278CF771F927A24396538BF682F1D6793F214337DD1AEB211F0D20FDFDA63668407EAA88205BC911" "Shared\Get-GlobalRootDrives.psm1","Get-GlobalRootDrives.psm1","775B9B52B5AE867467F267618580CAA2BBDD2BB123F0C0A35B9D1DA43C10EFC5FE34142F305DD2B547D9A57F05DAFDA3D590A0AFE5A48EE7B8FEE88175888AED" +"Shared\Get-KernelModeDriversAudit.psm1","Get-KernelModeDriversAudit.psm1","E0BEB61E9CF5D6C87ED1B8ED303EB26B55618ADAF45C1CCB49423868EC0F8B017390F38016C50A45EA7157C944A286FDE69FDCECDFBF186E5529B0B2210DCA1C" "Shared\Get-RuleRefs.psm1","Get-RuleRefs.psm1","7F9D20DB666FA2A476D8A0E2DA480C1DC4B4911C392010981F2DFA2829D354CF034D0803D0FB23708A069F51BE58A6AE01D0FBAD883424DBD1D84E9921D3B289" "Shared\Get-SignTool.psm1","Get-SignTool.psm1","0C527834AF2486F3E1411F8F03941ECD2B8B5F7E41C19E7CCA19AB63E1251725AEACECC1C7B83EA1A590190E91BC58CACF3D2593351B16AE781C32AAABF70588" "Shared\Move-UserModeToKernelMode.psm1","Move-UserModeToKernelMode.psm1","437A5A968ACE58EDA26151F09F41EEF599541EF077BA6A5822D293DF75423F0377C977BDAE809480BF6EF01924582FB599FE86AE6E73B981E70C2EB7B46C5888" From 563396aa767338c39cb6e18b777054fdaf9d6e2d Mon Sep 17 00:00:00 2001 From: Violet Date: Mon, 22 Jan 2024 19:45:58 +0200 Subject: [PATCH 16/19] Improved New-KernelModeWDACConfig --- WDACConfig/Utilities/Hashes.csv | 6 ++-- .../Core/New-KernelModeWDACConfig.psm1 | 31 ++++++++++--------- .../DefaultWindows_Enforced_Kernel.xml | 2 +- ...faultWindows_Enforced_Kernel_NoFlights.xml | 2 +- 4 files changed, 22 insertions(+), 19 deletions(-) diff --git a/WDACConfig/Utilities/Hashes.csv b/WDACConfig/Utilities/Hashes.csv index 3aa74e4dd..8a534d380 100644 --- a/WDACConfig/Utilities/Hashes.csv +++ b/WDACConfig/Utilities/Hashes.csv @@ -11,7 +11,7 @@ "Core\Get-CommonWDACConfig.psm1","Get-CommonWDACConfig.psm1","B79D46BDD63E54902F3CDD14F108F0CB01E213F9C78CEE6A9578F04502F2224E2640D8857BCB47EE6B1FFF7357C62AE2A68BE1F4FA1CA232AFC4442092F87A4E" "Core\Invoke-WDACSimulation.psm1","Invoke-WDACSimulation.psm1","694D9BD5B7288F9A36287EAD454A7B28698CCD92BF83C36DE08FED77EA0AF49E47189A182C83E83A8519BA893BF65B2673CD24D066C9DD6AEDF68084023346BE" "Core\New-DenyWDACConfig.psm1","New-DenyWDACConfig.psm1","B1954DD6D0C20C73624C4040C222A6EBA03B141D80391788A39E9995D8D3729BB0A76A4FE571AC8EEAFAFCBB679743C08B58947B13AB3E57B884861BDB9170A2" -"Core\New-KernelModeWDACConfig.psm1","New-KernelModeWDACConfig.psm1","2DB75E59C6AD0CF75DBF7BEC24FB1C43E1BFE443F3E2D9C49AA4D19EE4FACDFE4687D476664991C4744D758B2CD6B11A6AE1C9C56150CE9315EB3A1B273D3E52" +"Core\New-KernelModeWDACConfig.psm1","New-KernelModeWDACConfig.psm1","F5311B8EB87A02CD1BB33B497A7EF6A2A39EB2A0FB1DE5CD6D8B53B60E574D5895681D99004301B7C7B3EEF39D863BB1BA8B408E2890A1F18C3A760475EA92B3" "Core\New-SupplementalWDACConfig.psm1","New-SupplementalWDACConfig.psm1","E6F44921A45D36EA3D6238368E623505EDD97F8040AF4A654C3A0FDAD9D29A4839DF4340B3A33AE896305DD6FBD01D68FCB740356AA33917652A8AF742098E49" "Core\New-WDACConfig.psm1","New-WDACConfig.psm1","6ACC7BA93FD208862A99F2FF085528EAF45DF1F29DC6C5246F399857016B0D834D4D67F715DBBB47FED6F59DBC4D217161D0088099D9738670B8F539720B1A04" "Core\Remove-CommonWDACConfig.psm1","Remove-CommonWDACConfig.psm1","7C6D6EC1BF203D40664783F4A60FDC937B08FEFB2383F7943846BEFD8251340C168C3BB0C16204C052755F027C9F2711DF66C42423C9284FFA4517978D6C59C8" @@ -21,8 +21,8 @@ "Resources\ArgumentCompleters.ps1","ArgumentCompleters.ps1","0471552A03BCF16D55C754C8B2C54B5809A211CFB33E00A53B0C3722F65C6E30BA49C371813343839A7AB86B4D2AEE4136521FE31FA5303548132878FC4A1173" "Resources\Resources2.ps1","Resources2.ps1","404722F31CE73E6C89C623917B8A05AE806E34016EDC2105BD0D2659A8273CE9620282A1C38F0808F2CEC1BA71620F9609DD20F1A91A00217344A6EA687EB35E" "Resources\User Configurations\Schema.json","Schema.json","9A20EF0148D298178B35C1AAB961C46AF62BBCC0BB0DCCBE63F2FE08E0A764406267449CDD686A01F85650622DA6E690D12FBB88BB3A7E070BA58C1AF8FBC813" -"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel_NoFlights.xml","DefaultWindows_Enforced_Kernel_NoFlights.xml","0DF84E416ADCFB4C423D61BD71902B521B7ED7EADE2837BC41B443C1E0EEEECFE0C66193750455E96800D98374953B129ED0315EB03AFB2AF8D0C922871A223D" -"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel.xml","DefaultWindows_Enforced_Kernel.xml","BF0804A93A8B940FBDF04792E177E41AB669567FBEE78FFD51DE963856EBE3C43DC5ED577446477CF4ED83368F7DE8E4AA399AC54D844C4ED8907D0DEAB7A94B" +"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel_NoFlights.xml","DefaultWindows_Enforced_Kernel_NoFlights.xml","7E4BC35A3F0840C8F3921FB260CE84660DC3CAACB7850A1AEF13AFC48B0E069D27562C5632444926BF60B44A0E0FF522D0215F1F7DD5E1A7E51A45E86AB7F44C" +"Resources\WDAC Policies\DefaultWindows_Enforced_Kernel.xml","DefaultWindows_Enforced_Kernel.xml","846663A7B0CAD90A2305F3C3322D6C2CFA6277B7E4B083CB478FF409DB29A7D0D71318845B884518B8D2F87B66A5EA327D4EB2D39A9707D1EE41B0237812FFD6" "Resources\WDAC Policies-Archived\DefaultWindows_Enforced_Kernel_NoFlights.xml","DefaultWindows_Enforced_Kernel_NoFlights.xml","D02BCCFA3C35E179A634AFCDE04259C43F8FBD619A4D0D2F7BAC1A8A9FBC58D3EBC7EE89B1B2EC6B3C17BD6EC38ADB501B271AEA3037B980D10EAB9AFA3B8308" "Resources\WDAC Policies-Archived\DefaultWindows_Enforced_Kernel.xml","DefaultWindows_Enforced_Kernel.xml","BDC7B623386570F383B4A113BF06C7FF6A5A4271AFE572B5D68EEBC161CD650B62E70636527DFBEF09A8F95E66899CEEC424AA22CD00BBEF6D7888759D812F8D" "Resources\WDAC Policies-Archived\Readme.md","Readme.md","E85639EA8A88E40100AC46DFF72493E1D7A4FC600562C773A04BEF1EBCAA165AD2023E3808B3A5837186DC40C97AC2CB7FA5B2166A3957644ACAC91C9819ACC8" diff --git a/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 index 9654a4a17..5c0f8a045 100644 --- a/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/New-KernelModeWDACConfig.psm1 @@ -453,6 +453,9 @@ Function New-KernelModeWDACConfig { Write-Verbose -Message 'Removing the GUID of the StrictKernelNoFlightRootsPolicy from user configuration' Remove-CommonWDACConfig -StrictKernelNoFlightRootsPolicyGUID | Out-Null + + Write-Verbose -Message 'Removing the time of deployment of the StrictKernelPolicy from user configuration' + Remove-CommonWDACConfig -StrictKernelModePolicyTimeOfDeployment | Out-Null } else { # Remove the Audit mode policy from the system @@ -513,8 +516,8 @@ Function New-KernelModeWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCYiRetnOXMCIlU -# 25jr/1/XKzQFAb9+QJG7rIH27eBRN6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBxEju7MovYNoFz +# T/QceA1rALlIV+PzbfOFqBVuev2WfqCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -561,16 +564,16 @@ Function New-KernelModeWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgiXRwvvsbe3wS1CHe2FGdxHtMv9bNhAe5prVrtCJvtJQwDQYJKoZIhvcNAQEB -# BQAEggIAnegUfShgYbzvccCdGs6plCoj6MKKxeKKGZ3lXi/aQoB9clRa6Kt7Xjfp -# wHHzxqX0T3szSFixNaiZrKV2shSWSijhRH8jv34h8tcME2dD5tR45xjGvc3ogB05 -# idXR0mp+cQyrE3Z+lcUkAB+ewdvsXw/jE/uwFr+ZwFlgZFfS7thHaNfL9MBJW5jP -# RNtwYME5cVNxR2VUcUgEt9vON6h6yTqhAbzkieHBsxSZQS7xncaWHRTqyakQEzst -# g+XpuNyot94ykhrHUBxJ1WWjxI6yfRJRWaEBTPCSi3sEguV+1acEsCNNxl7BFSNM -# LZLSwsjSFZOR+JeOqNz49GRVf0lLn7KGdujJkteoRDKZwltZ2FSHJboLhq/M8SBa -# 5ns/GlpwuuyepXphmtG4pPW/EjMxgxVdgo6wadur5ksjdLFUKdlqOsM+TCNoNrtH -# +Bn51etxnGeYGK41yv4xF2WvcZCgn4SVa3bZewdjoSZDoBI0asxPdFvZkecuMz+k -# obkaI+yqFFF8ozwowjChhfXJQIBR5yw2nRsQAgX6zf4sIrAqh5TRtRCeoJqvOTqL -# aIuWFc6Bi+fboUCquZ8AiZwuFkGJ0TY3kbl53/jCzEtgTcx+J4BlMhs6ZxCm9hE2 -# UaUuRpX9YmnnVbEn3v1IfHonC4KEHweGFid4Nn8HzwR7JgcVyLA= +# IgQgKKKaEAqV5G3upfp4Kntgy/vj4hPoXLK4ioEHnP5IvNMwDQYJKoZIhvcNAQEB +# BQAEggIAa6dC4aaEXxzT7RDJE1wIy4XLdznyrcCeZ4It+BgrrfHefhZVHRpaqBqd +# 9eSoW5WpRKfRhPf1Xc7KH/YyLrfWkbQ9ihf2t99k/mKi8lcb4tU5qCXeZP5LWJWi +# dhRpZkMBLtsHJRvyRaWLoyhgdqQ6d6I50R6l0u4KbjtUEAlOsUNs7Ti1uPIQfBJC +# OAbUv80iz+DNCeI3HHguA6dyy7cHjhhfQ/JhgHBMYzasUX8SVKGFD58RrIpIFS74 +# q7bcqSOwpZXyZSuZQjnHmWtgUgobOACGQgWAenidciHfSUpmG3fHfvC18iX9i/tj +# dEJbSEBFoodCYPeI1yIn/54YlusQY+2iDwkGGp12tX2dDYB56CP5kjLkj+bILTXl +# diEvgfJ8jnrJie3EBGX+CbBmwiKajonVW/5ihjaTYdhYxKvacqtLcHypGKJy7Pwe +# to6LaYuwZe3wfxK2BEqN5sY6cNG7ca2cO9u6KUOnkBv3JdRlEhikox5LX1EZY9nf +# ytF6Ft8WlU6EVpRQNWUNABSbj3Qng/1NOP1Y+nSTGZGB6OuFDaPDmn4OXQ2SXCyO +# JbL6HB1SCqc0LKcMId+p8J7BYySOIxi3SMtjLSlGwu7GtXe1gurdHEPHNKJ69eW+ +# XUy45JKXsg8kH1SdfFjXY3dPOcrcGmFVZUkXjdQ70zD4XTzVYhg= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml index 75af66b78..67fec4ad9 100644 --- a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel.xml @@ -73,7 +73,7 @@ - 0 + 0 diff --git a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml index 1ecce6eda..53b156bd9 100644 --- a/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml +++ b/WDACConfig/WDACConfig Module Files/Resources/WDAC Policies/DefaultWindows_Enforced_Kernel_NoFlights.xml @@ -58,7 +58,7 @@ - 0 + 0 From 9875732bdf0c219b937274be7884e58615bb1505 Mon Sep 17 00:00:00 2001 From: Violet Date: Tue, 23 Jan 2024 00:13:51 +0200 Subject: [PATCH 17/19] Converted debug msgs to verbose for consistency Write-Debug messages are now Write-verbose in the new function to maintain the same consistency across the code base --- WDACConfig/Utilities/Hashes.csv | 2 +- .../Shared/Get-KernelModeDriversAudit.psm1 | 36 +++++++++---------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/WDACConfig/Utilities/Hashes.csv b/WDACConfig/Utilities/Hashes.csv index 8a534d380..07a992c80 100644 --- a/WDACConfig/Utilities/Hashes.csv +++ b/WDACConfig/Utilities/Hashes.csv @@ -32,7 +32,7 @@ "Shared\Get-BlockRulesMeta.psm1","Get-BlockRulesMeta.psm1","7A13D5608848E82D77EC587BEB4781FCD116858CDEBBA3052F4137E4A6080EB1572EFA5BB7EB184C9D69E2873588D593F8B3AAB6FD874B3E112E6266D42DC399" "Shared\Get-FileRules.psm1","Get-FileRules.psm1","C8A2E0F9F1376D46FA3ADD925F73978C7CC17B4F1EC72C95278CF771F927A24396538BF682F1D6793F214337DD1AEB211F0D20FDFDA63668407EAA88205BC911" "Shared\Get-GlobalRootDrives.psm1","Get-GlobalRootDrives.psm1","775B9B52B5AE867467F267618580CAA2BBDD2BB123F0C0A35B9D1DA43C10EFC5FE34142F305DD2B547D9A57F05DAFDA3D590A0AFE5A48EE7B8FEE88175888AED" -"Shared\Get-KernelModeDriversAudit.psm1","Get-KernelModeDriversAudit.psm1","E0BEB61E9CF5D6C87ED1B8ED303EB26B55618ADAF45C1CCB49423868EC0F8B017390F38016C50A45EA7157C944A286FDE69FDCECDFBF186E5529B0B2210DCA1C" +"Shared\Get-KernelModeDriversAudit.psm1","Get-KernelModeDriversAudit.psm1","259F643499977DE20F255387016EFC6A2D1A737B35C83B7AE34DC820B409ABE023A92436E9F0B7925EB75504ED1462D9E31EBC30A4FD02EE8DEF699AC0A45EF5" "Shared\Get-RuleRefs.psm1","Get-RuleRefs.psm1","7F9D20DB666FA2A476D8A0E2DA480C1DC4B4911C392010981F2DFA2829D354CF034D0803D0FB23708A069F51BE58A6AE01D0FBAD883424DBD1D84E9921D3B289" "Shared\Get-SignTool.psm1","Get-SignTool.psm1","0C527834AF2486F3E1411F8F03941ECD2B8B5F7E41C19E7CCA19AB63E1251725AEACECC1C7B83EA1A590190E91BC58CACF3D2593351B16AE781C32AAABF70588" "Shared\Move-UserModeToKernelMode.psm1","Move-UserModeToKernelMode.psm1","437A5A968ACE58EDA26151F09F41EEF599541EF077BA6A5822D293DF75423F0377C977BDAE809480BF6EF01924582FB599FE86AE6E73B981E70C2EB7B46C5888" diff --git a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 index 69f55d763..f11a019fb 100644 --- a/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 +++ b/WDACConfig/WDACConfig Module Files/Shared/Get-KernelModeDriversAudit.psm1 @@ -68,12 +68,12 @@ Function Get-KernelModeDriversAudit { } } - Write-Debug -Message "RawData count without processing: $($RawData.count)" + Write-Verbose -Message "RawData count without processing: $($RawData.count)" Write-Verbose -Message 'Removing duplicates based on SHA256 hash' $RawData = $RawData | Group-Object -Property 'SHA256 Hash' | ForEach-Object -Process { $_.Group[0] } - Write-Debug -Message "RawData count after deduplication based on SHA256 hash: $($RawData.count)" + Write-Verbose -Message "RawData count after deduplication based on SHA256 hash: $($RawData.count)" Write-Verbose -Message 'Saving the file paths to a variable' [System.IO.FileInfo[]]$KernelModeDriversPaths = $RawData.'File Name' @@ -81,12 +81,12 @@ Function Get-KernelModeDriversAudit { Write-Verbose -Message 'Filtering based on files that exist with .sys and .dll extensions' $KernelModeDriversPaths = $KernelModeDriversPaths | Where-Object -FilterScript { ($_.Extension -in ('.sys', '.dll')) -and ($_.Exists) } - Write-Debug -Message "KernelModeDriversPaths count after filtering based on files that exist with .sys and .dll extensions: $($KernelModeDriversPaths.count)" + Write-Verbose -Message "KernelModeDriversPaths count after filtering based on files that exist with .sys and .dll extensions: $($KernelModeDriversPaths.count)" Write-Verbose -Message 'Removing duplicates based on file path' $KernelModeDriversPaths = $KernelModeDriversPaths | Group-Object -Property 'FullName' | ForEach-Object -Process { $_.Group[0] } - Write-Debug -Message "KernelModeDriversPaths count after deduplication based on file path: $($KernelModeDriversPaths.count)" + Write-Verbose -Message "KernelModeDriversPaths count after deduplication based on file path: $($KernelModeDriversPaths.count)" Write-Verbose -Message 'Creating a temporary folder to store the symbolic links to the driver files' [System.IO.DirectoryInfo]$SymLinksStorage = New-Item -Path ($UserTempDirectoryPath + 'SymLinkStorage' + $(New-Guid)) -ItemType Directory -Force @@ -106,8 +106,8 @@ Export-ModuleMember -Function 'Get-KernelModeDriversAudit' # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDFOfK0ETLQSgmo -# 2FNRa5LBFF7irEPqHfewdPH3LTcGMKCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD8/S/0R4zso40q +# qxSIty+DwrdilPA67ty0zmqe2hEX5qCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -154,16 +154,16 @@ Export-ModuleMember -Function 'Get-KernelModeDriversAudit' # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgsfJ1nVHY3ovcuLL+nonOJ8oeTAq40SvIw2yJG9aSvTAwDQYJKoZIhvcNAQEB -# BQAEggIAm2C8NlNVS5gQnwGEdui7gOyxGG/OpbB8VT+0vINtQeRS3OH+g4VPXjTn -# lqtEWYBrzvB+gmh7uW81lkWTo8ffOSstnHzzsd/znkyxIEOHNuTO71hPcY7t1zNO -# 0mj3UqfhbnGNnUnXkG9h+tCIrN/PH+5ooLhm4td3xXK2BEy2Kt6GsoBDMMoHHhNy -# VZFexpLMkIaFPfRNFcu4m6PeotgDcvslPc6V4mNDCEfee4+AHh/1+cD2hHM89ist -# 6b/w2PLsgaNGOqHEZscXDsw8nSaf+cT40YEmtvOAezXn0M3LT6izW+ME9RR80t5L -# h+K46g+lrC+6WDhGXCw2Smv0z7wTHikfKcmHbMwxm+z79XRRo8VXBzvOHBD+wAMr -# 3ozCJtzKFBaVlh4DRPytx4pSHY2KUKvncCS2u6BamYkcd3SaOiNEPN/823uEjY2C -# SDfO5/Dk4cNn78NSuE0AQEPmCACWLgK664LjMRxwROx7pdjzJ0My2KEjVl84skCe -# 4egSjFmhbnK8EqMxu0lVkPmx14gm8N1T6Tvz5X5oH4lGQ/4m/87SUv/Q+DAosJk4 -# CcL7KlYSs9vsywJy92UGTJEzKfXR9KbFK6dZ/M2ZprfNrOwqy/1hDI8W7U+Pborx -# wPXCOm/Xtyz36YzVY0WZy8jiCCT/fn/PR/tjexwMclSKNsiFBcY= +# IgQgontjxlQbDZmplahPYMnCcaVdsRPxbkX6fM0YKC+ssCcwDQYJKoZIhvcNAQEB +# BQAEggIAYyS9pmPhBPiLa8dmuQ1rH8plOvG1VgTuPLnEGmSBynYzA1sZ0BnWrlv6 +# MAnPubstvMqUVyd+TpCb1fdgkK/IsRMrmFc0E3XK4Z3mCPB6uq5E32GRHT6nZCCM +# +v2up+N42eFMTHqvn3SptHsJhyBinAX0kGvrZHFnecOmCTwKrXsSSLuCriswnBZL +# Vb5xHiD5FYvelOVrvlU4vlkAnZ1/BAsuNbIcrR0fMz0Ozbv3e5CNo178oEwd8uKD +# q8+nFctDUboiYHtMy1yNW0j/zpEjTxnZ+RUfwY3PYzpcrmFtH1b+K3lvFIl3RxjS +# rmlWUf+iQt2htLGCEdLvYVDWFxgduM4yVOZxVHyqeqy3/6+0KEJoW9zKBHeFPVYO +# ZuE05xacVjYTWJlhg0JgocqSsp9Y0wMyBm4hg6/I1a6ZoNdv9HIjnCHv8mJ3ursf +# vBWqB/Sc8GIlPdV4f4fMHP5lLF/SfYN42sFbN1z54gDUJWGNA87RFXtSF7dxrYr/ +# 964uBQ2IBoAnFVBrYrEjqXcUhTfctzwMw7zsmbM00FTleEQ9SZJo5qNDMao4KCef +# hmSCazJWuZPbi5aHsquQLjECcEEtBiuloxWU09k9B1StxcnMcCNzZF4QnKCqvvln +# lZID1uc7lpyjyxjVV9FjBQuDriRwI8+8EiU9PIat+hu/bjXqGis= # SIG # End signature block From 888badc3616c9778a6cfe716af52a15a970651cb Mon Sep 17 00:00:00 2001 From: Violet Date: Tue, 23 Jan 2024 00:35:06 +0200 Subject: [PATCH 18/19] Updated New-KernelModeWDACConfig document The update contains updated info and clearer instructions --- .../New-KernelModeWDACConfig.md | 53 +++++++++---------- 1 file changed, 24 insertions(+), 29 deletions(-) diff --git a/Wiki posts/WDACConfig Module Main/New-KernelModeWDACConfig.md b/Wiki posts/WDACConfig Module Main/New-KernelModeWDACConfig.md index ec07bc671..270643a60 100644 --- a/Wiki posts/WDACConfig Module Main/New-KernelModeWDACConfig.md +++ b/Wiki posts/WDACConfig Module Main/New-KernelModeWDACConfig.md @@ -13,19 +13,22 @@ New-KernelModeWDACConfig [-Default] [-PrepMode] [-AuditAndEnforce] [-Deploy] [-E ### How to use -This cmdlet creates a Kernel-mode WDAC policy based on the Default Windows example policy. [You can read more about that process in here.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) +This cmdlet generates a Kernel-mode WDAC policy derived from the Default Windows template policy. [You can learn more about that procedure in here.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) -The default parameter indicates that the Strict Kernel-mode WDAC policy will be deployed with flight root certificates, allowing you to use insider builds of the OS. +The **-Default** parameter signifies that the Strict Kernel-mode WDAC policy will be deployed with flight root certificates, enabling you to utilize insider builds of the OS. -First you need to use the **PrepMode** parameter to deploy the base policy in Audit mode, then reboot your system, after reboot event logs are generated for Kernel-mode drivers that are running but would otherwise get blocked if the policy was not deployed in Audit mode. +Initially, you need to use the **-PrepMode** parameter to deploy the base policy in Audit mode, then restart your system. After restarting, event logs are produced for Kernel-mode drivers that are running but would otherwise be blocked if the policy was not deployed in Audit mode. -
+Subsequently, you need to use the **-AuditAndEnforce** parameter to generate the final base policy. This parameter will: -Now you need to use the **AuditAndEnforce** parameter to create the final base policy. This parameter will scan the event logs, create a supplemental policy for the drivers detected in event logs, merge the supplemental policy with the Strict Kernel-mode base policy and deploy it as a single base policy. **No reboot required after deploying the final enforced mode policy, reboot is only required 1 time, after deploying the Audit mode policy.** +1. Scan all of the event logs that were produced after deploying the audit mode policy on the system +2. Generate a supplemental policy for the drivers detected in event logs +3. Merge the supplemental policy with the Strict Kernel-mode base policy +4. Deploy it as a single base policy, rebootlessly. -Hardware drivers are scanned based on their certificates so they won't require a policy update when they are updated as long as they are still signed with the same certificate. +Hardware drivers are scanned based on their certificates so they will not necessitate a policy update when they are updated as long as they are still signed with the same certificate. -The deployed base policy can have supplemental policies too so if in the future you need to allow more Kernel-mode drivers to run on your system, you can use the following command to automatically create and deploy a Supplemental policy. +The deployed base policy can have supplemental policies too so if in the future you need to allow more Kernel-mode drivers to run on your system, you can use the following command to automatically generate and deploy a Supplemental policy. ```powershell Edit-WDACConfig -AllowNewAppsAuditEvents -SuppPolicyName "Kernel mode drivers for software X" -PolicyPath -Fallbacks None -NoUserPEs -NoScript @@ -39,7 +42,7 @@ Edit-WDACConfig -AllowNewAppsAuditEvents -SuppPolicyName "Kernel mode drivers fo * `-PrepMode`: Deploys the Strict Kernel-mode WDAC policy in Audit mode, preparing the system for an Audit. -* `-AuditAndEnforce`: Audits the system using event logs for any blocked drivers, generates and deploys the final Strict Kernel-mode WDAC policy on the system. +* `-AuditAndEnforce`: Audits the system using event logs for any blocked drivers, generates the final Strict Kernel-mode WDAC policy. * `-EVSigners`: Uses EVSigners policy rule option. If you want to use this parameter, make sure you use it for both PrepMode and AuditAndEnforce parameters. [Read more about EV Signers](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Notes#policies-with-requiredev-signers-rule-option) @@ -64,17 +67,22 @@ New-KernelModeWDACConfig [-NoFlightRoots] [-PrepMode] [-AuditAndEnforce] [-Deplo ### How to use -This cmdlet creates a Kernel-mode WDAC policy based on the Default Windows example policy. [You can read more about that process in here.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) +This cmdlet generates a Kernel-mode WDAC policy derived from the Default Windows template policy. [You can learn more about that procedure in here.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) + +The **-NoFlightRoots** parameter signifies that the Strict Kernel-mode WDAC policy will not be deployed with flight root certificates, disallowing you to use insider builds of the OS. -The NoFlightRoots parameter indicates that the Strict Kernel-mode WDAC policy will not be deployed with flight root certificates, disallowing you to use insider builds of the OS. +Initially, you need to use the **-PrepMode** parameter to deploy the base policy in Audit mode, then restart your system. After restarting, event logs are produced for Kernel-mode drivers that are running but would otherwise be blocked if the policy was not deployed in Audit mode. -First you need to use the **PrepMode** parameter to deploy the base policy in Audit mode, then reboot your system, after reboot event logs are generated for Kernel-mode drivers that are running but would otherwise get blocked if the policy was not deployed in Audit mode. +Subsequently, you need to use the **-AuditAndEnforce** parameter to generate the final base policy. This parameter will: -Now you need to use the **AuditAndEnforce** parameter to create the final base policy. This parameter will scan the event logs, create a supplemental policy for the drivers detected in event logs, merge the supplemental policy with the Strict Kernel-mode base policy and deploy it as a single base policy. **No reboot required after deploying the final enforced mode policy, reboot is only required 1 time, after deploying the Audit mode policy.** +1. Scan all of the event logs that were produced after deploying the audit mode policy on the system +2. Generate a supplemental policy for the drivers detected in event logs +3. Merge the supplemental policy with the Strict Kernel-mode base policy +4. Deploy it as a single base policy, rebootlessly. -Hardware drivers are scanned based on their certificates so they won't require a policy update when they are updated as long as they are still signed with the same certificate. +Hardware drivers are scanned based on their certificates so they will not necessitate a policy update when they are updated as long as they are still signed with the same certificate. -The deployed base policy can have supplemental policies too so if in the future you need to allow more Kernel-mode drivers to run on your system, you can use the following command to automatically create and deploy a Supplemental policy. +The deployed base policy can have supplemental policies too so if in the future you need to allow more Kernel-mode drivers to run on your system, you can use the following command to automatically generate and deploy a Supplemental policy. ```powershell Edit-WDACConfig -AllowNewAppsAuditEvents -SuppPolicyName "Kernel mode drivers for software X" -PolicyPath -Fallbacks None -NoUserPEs -NoScript @@ -88,12 +96,11 @@ Edit-WDACConfig -AllowNewAppsAuditEvents -SuppPolicyName "Kernel mode drivers fo * `-PrepMode`: Deploys the Strict Kernel-mode WDAC policy in Audit mode, preparing the system for an Audit. -* `-AuditAndEnforce`: Audits the system using event logs for any blocked drivers, generates and deploys the final Strict Kernel-mode WDAC policy on the system. +* `-AuditAndEnforce`: Audits the system using event logs for any blocked drivers, generates the final Strict Kernel-mode WDAC policy. * `-EVSigners`: Uses EVSigners policy rule option. If you want to use this parameter, make sure you use it for both PrepMode and AuditAndEnforce parameters. [Read more about EV Signers](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Notes#policies-with-requiredev-signers-rule-option) -* `-Deploy`: Indicates that the policy will be deployed. If you want to deploy the final strict kernel-mode no flight roots base policy Signed, do not use this parameter with `-AuditAndEnforce`. Instead just create the policy and then use [Deploy-SignedWDACConfig](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Deploy-SignedWDACConfig) cmdlet to deploy it. - +* `-Deploy`: Indicates that the policy will be deployed. If you want to deploy the final strict kernel-mode base policy Signed, do not use this parameter with `-AuditAndEnforce`. Instead just create the policy and then use [Deploy-SignedWDACConfig](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Deploy-SignedWDACConfig) cmdlet to deploy it.
horizontal super thin rainbow RGB line @@ -109,15 +116,3 @@ Edit-WDACConfig -AllowNewAppsAuditEvents -SuppPolicyName "Kernel mode drivers fo * **Optional** parameters indicate that they are not required and without using them the module will automatically run with the optimal settings.
- -### During the PrepModes, [the following event log categories](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations) are cleared - -* Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational includes events about Application Control policy activation and the control of executables, dlls, and drivers. - -* Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script includes events about the control of MSI installers, scripts, and COM objects. - -This behavior is required so that the audit phase will have the correct logs to scan and add to the base policy for allow listing. This behavior can be changed/improved in a future module update. - -Before the audit mode phase, make sure you trust all the files and programs installed on your system, otherwise you risk allow listing vulnerable or malicious drivers in your policy. - -
From d46d0142176aaeade4e24a7994e9c52652b0c21c Mon Sep 17 00:00:00 2001 From: Violet Date: Tue, 23 Jan 2024 01:05:19 +0200 Subject: [PATCH 19/19] Minor improvements to the module Added new word to the dictionary Removed an unnecessary debug default parameter Removed an unnecessary -recurse parameter Improved some comments Generated new hashes for the files Signed the files --- WDACConfig/Utilities/Hashes.csv | 6 ++-- .../Core/Get-CommonWDACConfig.psm1 | 34 +++++++++++-------- .../Core/Remove-CommonWDACConfig.psm1 | 30 ++++++++-------- .../CoreExt/PSDefaultParameterValues.ps1 | 29 ++++++++-------- WDACConfig/WDACConfig.code-workspace | 1 + 5 files changed, 52 insertions(+), 48 deletions(-) diff --git a/WDACConfig/Utilities/Hashes.csv b/WDACConfig/Utilities/Hashes.csv index 07a992c80..6cafbf0e0 100644 --- a/WDACConfig/Utilities/Hashes.csv +++ b/WDACConfig/Utilities/Hashes.csv @@ -8,16 +8,16 @@ "Core\Deploy-SignedWDACConfig.psm1","Deploy-SignedWDACConfig.psm1","6E300258BAEDA5787441A11AF492C4D814611789974B1D59BC0C4BCC98724DCE66C6334ED541AD5DE52C497A9BC586C66F02CC87231B8D5F14603F8632711C94" "Core\Edit-SignedWDACConfig.psm1","Edit-SignedWDACConfig.psm1","D9B79D3D4D7F9B5D5C0608F95FA74827BC1F8CF30F78FA5A4054B4B17FCC83F6EAA87C391857419DFC8D8A26650113D4560FE0C51E5BAB0561744AEB926E191D" "Core\Edit-WDACConfig.psm1","Edit-WDACConfig.psm1","486F2426F5CD714B0717B256B335A5D98D414761846A08A54CD509406E0B291EB55BF7EE7704A5797C3E90DBCAFD804ED52D89EFF6CED9A175717BDC7A3B384A" -"Core\Get-CommonWDACConfig.psm1","Get-CommonWDACConfig.psm1","B79D46BDD63E54902F3CDD14F108F0CB01E213F9C78CEE6A9578F04502F2224E2640D8857BCB47EE6B1FFF7357C62AE2A68BE1F4FA1CA232AFC4442092F87A4E" +"Core\Get-CommonWDACConfig.psm1","Get-CommonWDACConfig.psm1","136D9707E4EDE54C26A3C15A378B4A6F38B12F466D934B6A48AB876CC9EF9A2DE9728ADC16B64103D5DBAD0D421E5B59F036D74953B7A5C5693B20DC043F8F15" "Core\Invoke-WDACSimulation.psm1","Invoke-WDACSimulation.psm1","694D9BD5B7288F9A36287EAD454A7B28698CCD92BF83C36DE08FED77EA0AF49E47189A182C83E83A8519BA893BF65B2673CD24D066C9DD6AEDF68084023346BE" "Core\New-DenyWDACConfig.psm1","New-DenyWDACConfig.psm1","B1954DD6D0C20C73624C4040C222A6EBA03B141D80391788A39E9995D8D3729BB0A76A4FE571AC8EEAFAFCBB679743C08B58947B13AB3E57B884861BDB9170A2" "Core\New-KernelModeWDACConfig.psm1","New-KernelModeWDACConfig.psm1","F5311B8EB87A02CD1BB33B497A7EF6A2A39EB2A0FB1DE5CD6D8B53B60E574D5895681D99004301B7C7B3EEF39D863BB1BA8B408E2890A1F18C3A760475EA92B3" "Core\New-SupplementalWDACConfig.psm1","New-SupplementalWDACConfig.psm1","E6F44921A45D36EA3D6238368E623505EDD97F8040AF4A654C3A0FDAD9D29A4839DF4340B3A33AE896305DD6FBD01D68FCB740356AA33917652A8AF742098E49" "Core\New-WDACConfig.psm1","New-WDACConfig.psm1","6ACC7BA93FD208862A99F2FF085528EAF45DF1F29DC6C5246F399857016B0D834D4D67F715DBBB47FED6F59DBC4D217161D0088099D9738670B8F539720B1A04" -"Core\Remove-CommonWDACConfig.psm1","Remove-CommonWDACConfig.psm1","7C6D6EC1BF203D40664783F4A60FDC937B08FEFB2383F7943846BEFD8251340C168C3BB0C16204C052755F027C9F2711DF66C42423C9284FFA4517978D6C59C8" +"Core\Remove-CommonWDACConfig.psm1","Remove-CommonWDACConfig.psm1","CB90185EF0E5AF054F7D00E80A331A641381896413FFD83F9CF9600CB3307A0D8F41705583149D5CA754DF1B35FE245C2B3C76826C50E903AC6BAAD98A7C9FB5" "Core\Remove-WDACConfig.psm1","Remove-WDACConfig.psm1","5661413F6C806BAE9DE8CE9950C0BAEA50D51414EEEBE80A6907F6D12F8CF31678D8F8CED51A87499BCC2F866DC2FFBE935A05837D6796420A4BDA0050DEFBCA" "Core\Set-CommonWDACConfig.psm1","Set-CommonWDACConfig.psm1","62B5E45C58685785EF11F1B281199039FCC32FD3DAC83F20956E8F75499BA5CE92B5DB8731F2DE9CFAF767851C68DDB86ECA6F64F9D6D21CC4B05818EFD2ACE5" -"CoreExt\PSDefaultParameterValues.ps1","PSDefaultParameterValues.ps1","E038AD0408E6DC83257F774ACC1DAC8E92D9E1656F7925419DD5AAC11AE4F5F90308BBFFA57BCB7E44616EF0D6D0753EBC7122EE8A6F6B83CA6766194454277C" +"CoreExt\PSDefaultParameterValues.ps1","PSDefaultParameterValues.ps1","6E763217D62F8A02F0B012CEB5BCF71D721573DDA5850F2FC4FFC00D85A0E3A268EFB563EAB4166D2E5B7A5A359D141F2AF5FF7BAA9695AAC13BCF6E5E0A16A3" "Resources\ArgumentCompleters.ps1","ArgumentCompleters.ps1","0471552A03BCF16D55C754C8B2C54B5809A211CFB33E00A53B0C3722F65C6E30BA49C371813343839A7AB86B4D2AEE4136521FE31FA5303548132878FC4A1173" "Resources\Resources2.ps1","Resources2.ps1","404722F31CE73E6C89C623917B8A05AE806E34016EDC2105BD0D2659A8273CE9620282A1C38F0808F2CEC1BA71620F9609DD20F1A91A00217344A6EA687EB35E" "Resources\User Configurations\Schema.json","Schema.json","9A20EF0148D298178B35C1AAB961C46AF62BBCC0BB0DCCBE63F2FE08E0A764406267449CDD686A01F85650622DA6E690D12FBB88BB3A7E070BA58C1AF8FBC813" diff --git a/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 index 074971890..2982e4018 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 @@ -33,14 +33,17 @@ Function Get-CommonWDACConfig { if ($Open) { . $Path + + # set a boolean value that returns from the Process and End blocks as well [System.Boolean]$ReturnAndDone = $true + # return/exit from the begin block Return } # Display this message if User Configuration file is empty or only has spaces/new lines if ([System.String]::IsNullOrWhiteSpace((Get-Content -Path $Path))) { Write-Verbose -Message 'Your current WDAC User Configurations is empty.' - # set a boolean value that returns from the Process and End blocks as well + [System.Boolean]$ReturnAndDone = $true # return/exit from the begin block Return @@ -56,6 +59,7 @@ Function Get-CommonWDACConfig { catch { Write-Warning -Message 'The UserConfigurations.json was corrupted, clearing it.' Set-Content -Path $Path -Value '' + [System.Boolean]$ReturnAndDone = $true # return/exit from the begin block Return @@ -139,8 +143,8 @@ Function Get-CommonWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC8P0XmKyElTfS/ -# K9nWI1KbxOzFTMCLdLhBmXgi1FoGYaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBoVCz7I2ruYbwu +# q8diFmkQbaGDKCkez2teF5aEak0b1aCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -187,16 +191,16 @@ Function Get-CommonWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgLSHCTTvyins1zX+bfmyntMUfG2IvRLoBpgYiQvVrSMIwDQYJKoZIhvcNAQEB -# BQAEggIAmQyNu1SIApHAzFADfwWf0H+mRzn1aVwLHOENIErTigU6NbhF+yIrb5BI -# 0Q6XOzgrwz5c/0QUbrdZR4/H/empNzziS8dCpbXnRNBfvfDeoil2t7ic/+O00eQY -# cl3vEVf5+UQcchQUBz5XaSA5FhLrT0SRmbh4huNQisbc55vZAu0hB8+7cAU26+nZ -# KlTsIlGV+EXTWQtQ3/RbXnoGTRUyPBygdolIVv2HZS35RbAqgyIy43Zhltmn2gAl -# zBuaNF86jMnBGAKFXkugHa2UtgVjcnuWjZinhvShzE8tfcjVK8+ODxkUgPzDVhdy -# v/AOZKHe6Mf26wxpKPgbxgz4UjYZpLf65mx2bUIm+wFUwHvtjALJsGndlgO2ar8O -# +RtsSBUxmnsdsvHeVClQ5+TD5IDiUgl3n4Y+Aq4VY2ooXAZV1jEtZlaYKlAJ3X7H -# YTqxX/apowB0Blfi5wcGZui16lCUQXFE67+YZYXy2IVHAIgAYzNXCq+VlVoVJ0TE -# KcRpTmnqTX7g0M0Y92kvq/rD3l3Rk12psemASF+5pfvlwgIfvG1aLvP01/IUVCsR -# tPkU8L181K6/ZCGJHGhn2+BRR8aXmg1GgtJKlyNLkjJMdKnAw+HihIpG37dYq0eT -# m+GyVura7bXCVwAF0aEAGkkBfiu14Oc4Tez0IdkqQTOgkOo8la8= +# IgQgK2B2kN3kvH9A3GrhFEBbkVX1Ee0InPzwka3+h2VPB0owDQYJKoZIhvcNAQEB +# BQAEggIAlNlbhlh4szyr8FeHXlyNaV+Y8d9xtNmxKZUpg1lDemcJDrQUEM4bDPYo +# tvanj8YO6NXazSGnSqdVWUF0T3Fd+Sr/SCcDXuyy5P3J4qaYg2A7qLdXzjUW7KWY +# cevrCpbqScFMi1uBZDwv9DbkH+lk9hiYJcGBDqw4HZXAGvGT4Hgz1jWyONPFJ0Y/ +# UYIGw9m4RH19cnCL8wMu32+K4r89EIlGeZ3m73WEw3JRpis+SQIcvivAepNFYvgi +# box/v2N4GvDcs/8FdFDdoxYQxnlzp6Xu/0oGgTwokxmPonAYE5DzEBy1U8ozeix4 +# LUy8fKWUqjZGDdr+BkFLymRLk+WDFwQ4aqvb8aHOC8n6PZW+jO1jz8jwxCJ190RQ +# fr0DsFlhU4mkzITaxld51yKxdTMYDl7p0ISeWF448yY3FqLlU3ndS9ExbpryOnwB +# r6QiaPO94Ch5idJSugnxJgzO+JXDCEuwY1i+8Bm3h5S9md0H0NZ30mId0SD/SPK3 +# tCIbFSCvqiRugW2pFpzs/HAYSWwlDVKFzXF6fZhgufPUWZ157xTgxUWqHIeYYRtv +# mGtFVis3jnCQHvlgxYr5DuSb82774zBaSIaKXWpoVFF5nRgafiEzFcgCVw2DJhFP +# WzDrsKY4qVdRNuR26BUGKAqW+mt4cRsBTwk0mYkCJ198mR6kzSE= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 index 05db02502..1d483a343 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Remove-CommonWDACConfig.psm1 @@ -33,7 +33,7 @@ Function Remove-CommonWDACConfig { # Delete the entire User Configs if a more specific parameter wasn't used # This method is better than $PSBoundParameters since it also contains common parameters if (!$CertCN -And !$CertPath -And !$SignToolPath -And !$UnsignedPolicyPath -And !$SignedPolicyPath -And !$StrictKernelPolicyGUID -And !$StrictKernelNoFlightRootsPolicyGUID -And !$LastUpdateCheck -And !$StrictKernelModePolicyTimeOfDeployment) { - Remove-Item -Path $Path -Recurse -Force + Remove-Item -Path $Path -Force Write-Verbose -Message 'User Configurations for WDACConfig module have been deleted.' # set a boolean value that returns from the Process and End blocks as well @@ -211,8 +211,8 @@ Function Remove-CommonWDACConfig { # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDszwPQD8yun8YB -# 8FSMSUrI/sSFwaoxSEk8T5BkHxJBY6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCOwTJyE1lilpc0 +# hd37deRoczCk1PsMUkWSPAn1RHdmpaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -259,16 +259,16 @@ Function Remove-CommonWDACConfig { # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgTFEb5wHC6j5h0sY9HEZ2+PtB9b5b2cGJdmvIAY21JWwwDQYJKoZIhvcNAQEB -# BQAEggIAL4FQQTPx4KtfWQddJCtBfpottBnx0Hk3dFhhQzoREAXbgTFpyJPhpUO2 -# V+1Tr3Dw/2vEMi5rX4GgJ2WLOw9wz/TxiAyFo7GY/xYvuDVJyqMeyYBo4sYM5k7X -# rJ/Wn4uLHo182XXoFSX55dxgdbqTAC1z0IgJkFmNlWH/HS7sCU1e0afXv4b4X15p -# s2aw3Y5F7JEFOd/Y1Ri/nOPzDJt8V2Niluo7igu1P/rdtmPDDa21WfkLb1IL1bTA -# JmXwq8Wzm/rUWS4n4ETuckXFFHOO//ma5smCdR6BFYJZMkNL/1t2aoysxOjDESzm -# fcG+toQUer6zZu00g2fk78Xsdtouybv6L2k+62YO80FzmH16M9xeXmPeMtptHotM -# hBshIt9EBvSiHQtmQQCdBPNEGwwAxXG9U5OsP7pnh/UML7nPYey8nLYxg8CZVBxs -# qzSrXGpfzg2PBCDKDJmw4nw6xGc1efpyEuH7a4Vo8tjL3SNKinyP1cB8D3djWMrZ -# 5BAg+AdiGIofffgc7cNswdOK1kHxE5a7tWrCRjLtSqS2gp7nokdkl5HpwcLJbqlr -# F0Rnm8tqqk0JFAkW1MYmRMY9JGXQCC9Qdr+wxsqlLbnc/aBym72E2oDXpXw3HBau -# KZ+Yq9jl9Q069WfrFQf0ncgQZbL9dZjbi8zysTxIiK3I57HOxcA= +# IgQgosRTn6/vjqEgVpjkQZamW7pk4mbU0ANBQHok/geB+CAwDQYJKoZIhvcNAQEB +# BQAEggIAm5Nd50jwDmPcaRiZFlEX46z2HQqTF2VsNliZC9JDi3afpRNKG+77+Wpg +# hcX1yMJBfelbz1P3zCSzV4HtuF/mlnWWTaUT+ggClCkO5PQQP10D7UMU/PmyNcPu +# sywp4urfxgq/p9H1Vptyv1ERUpamDXcRRzBXln6NkImxd24JeYZlTTUJIQcJ4VzX +# sCrJMtgdetbRV0ISJzwHm36k5LAV+rXKo8HLtlj+Ivmq6ufOoKVOlGf4sthBHnmc +# gNtyfdq7OZQrGvpGHLh2PB11V9FC2Rz/y7ngGqgYvjToClfG4fBU/wEkSs/uNYxp +# osYhk0yNDKDh18NvQ5B01sDFPQnLKBYzi1m2HmzUpt1CmgPUwQPWs+PB1G2ihUKX +# ixFLl2I1Cdbqdhf1hO3UZV9d9eAtX3Wu9twlHfytT8bA+Wr6/Ugy7AUmFLE3sp4y +# wIzAmRe3GZNI3do8uXB0rJG4hQAskfBT/P4oSFNsKDtqiCpvnaG2lWcbT3JEVXBG +# aI3hh5WUQqEVFP8EY6w1Jtwp1PKN9RunWGHkMEBuh2Ogjj5m29tappyVWXb7lwKt +# ED6l+79I0XcywzVtSOTCbvfBjWUshSkRF+TjeREc2HdHksS09fftmVGGNRZXoTbw +# Rce5Wd/minc9Ss4rXd+30WjcN/KQRP7U3BxgU/JHG/ndY4aslwo= # SIG # End signature block diff --git a/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 b/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 index 7c52bfa9a..25b3dc198 100644 --- a/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 +++ b/WDACConfig/WDACConfig Module Files/CoreExt/PSDefaultParameterValues.ps1 @@ -26,15 +26,14 @@ $PSDefaultParameterValues = @{ 'New-SnapBackGuarantee:Verbose' = $Verbose 'Compare-SecureStrings:Verbose' = $Verbose 'Get-KernelModeDriversAudit:Verbose' = $Verbose - 'Get-KernelModeDriversAudit:Debug' = $Debug 'Test-Path:ErrorAction' = 'SilentlyContinue' } # SIG # Begin signature block # MIILkgYJKoZIhvcNAQcCoIILgzCCC38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAgRto3IMlcl5ve -# qW85te069cqs4CN8iQ0QfcB/i0RpQ6CCB9AwggfMMIIFtKADAgECAhMeAAAABI80 +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAavzUGHdyJ3I+w +# OIj3l5bxX1qsMhDsElMnxwsFZooSLaCCB9AwggfMMIIFtKADAgECAhMeAAAABI80 # LDQz/68TAAAAAAAEMA0GCSqGSIb3DQEBDQUAME8xEzARBgoJkiaJk/IsZAEZFgNj # b20xIjAgBgoJkiaJk/IsZAEZFhJIT1RDQUtFWC1DQS1Eb21haW4xFDASBgNVBAMT # C0hPVENBS0VYLUNBMCAXDTIzMTIyNzExMjkyOVoYDzIyMDgxMTEyMTEyOTI5WjB5 @@ -81,16 +80,16 @@ $PSDefaultParameterValues = @{ # Q0FLRVgtQ0ECEx4AAAAEjzQsNDP/rxMAAAAAAAQwDQYJYIZIAWUDBAIBBQCggYQw # GAYKKwYBBAGCNwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx -# IgQgfJK0KjlDMNjLakahzmjmu+gkWHQ48qbGargB0ywzT9owDQYJKoZIhvcNAQEB -# BQAEggIAgQWZjDhFqxUg2FyRkLQh46ceo1nweveI5uOT13fB2ZDjX/FHFB03Yir3 -# bT6as/SpRQBpz4JxwIY+XmoWS/iLCjXMQjXNGQ2dKlgeWiFj6jXpmR/09jDNgLZS -# 1C71gs4lHUCzjGazmCJMpNTgaxxqwuuJ3tXOaydKvLMtZydzvuz2sl211jD8Upkr -# GgtRoL8azfZbWss7GD/6d3Vwy7xSFCJQWvhyPH3eCYSPuU5vpSaD6/kGtz3KyCai -# ItECVRdqvqVTmjCFGGVFBy46UXYh00WKkumXQ8HHcrW9EBlVvtrQHr4yjsU+ZDwO -# JatLM+RPgqnwjmuxAcD+WboM4w7C+8vHs+q9yXOn/6IlNFdUpXOoOZJhh8xQrNlj -# pJo199p9knIJllyRVPXu5NFQz9w6yAMgUu4ew5x664zedowGzcwjIBrdSkJG/k4g -# KxszwN5AQ3FXpmdAsD34WRx/6xC6hedLJyLxTYPbty0p69b0i5WAUwgh5Y9RvIdt -# UYaeQg/L8XRKgIFHQYw9eW5VHQZT/fXaCPfnx3IRbytcatmac/Ye670CrBy1ACTV -# REifNsKcriJlkRsFA6HHNWRVsrjTWYO0n1U2Tvmyq+UexviBie4V4Jhu8LkNF8+O -# HloYhwHfvO4FKVQGe+YUqRstGwJRPD1EEjfnTecEild5/teLJBA= +# IgQgu8iEkljlv5xO0xI4cExICeQZT/joQoFv2ddHPFszyigwDQYJKoZIhvcNAQEB +# BQAEggIAlQUdwg8+wtYdrpbyscx+grjjQLH7KVm9872qnH7eLnWgDTd+xFnsy6EM +# Zk7pGSyYt+Dx6/oWE9SU2+dCjCOq0/eFyTlhC+Jy4Mt7ZsneBaLWHBzNeI+DT4bM +# qylINYjgHqbMQtgL1rcwH6gZh12UBcVHuNuwyguFSm0SbCZKWEId/Q2A8EAlaf0A +# 2/HUZEs278x5MZ5MBIYP4RKHFLTvxUl3XG+7+OZGBVw7VevCcBXQtjMgKoYxjtt9 +# fHt1unFBeGCzVjEE5i/QEnYucX/uzTIdlk9Aq6nScNXwltdWFQdrZNPkSXtyU5do +# CZH+wbEF9V3IN9ycjtqvNgb3LLhCzGaq4rdXtRZO1Tu5RP70FjILHlftXjYU/45Q +# Jo7hJph1KLZmrCIbrgFRe9F+GBN3uiU6stbiTnDW0oQibXRb+fWrOdB8F1EnxUaG +# g/fbbeoSYOZ0WMhI0exosr8yWJIUAKxKkmIttPvb84B10qTk0uZ4sWtaT68wbj3t +# F3y9t21bXWmZ9vKl/8WgNV0yZwUMyFPpRD4z00v+eHoSfAwGqdqLgyOXgGIYPvv2 +# I55El6cZc2bfdjHi2XFle8ufqNIbUVYDwlq7+GknPMGIqZwH46BMNZj0q+ZBOPeE +# fro+r3uD/Kelphb3TG+djHoBBGwDtUp0zlSZ6dlapMFNJ/IIWVA= # SIG # End signature block diff --git a/WDACConfig/WDACConfig.code-workspace b/WDACConfig/WDACConfig.code-workspace index f731aca63..b2ace5967 100644 --- a/WDACConfig/WDACConfig.code-workspace +++ b/WDACConfig/WDACConfig.code-workspace @@ -131,6 +131,7 @@ "multiplatform", "Namez", "Namezx", + "nclearing", "Netbios", "nobanner", "notcontains",