Merge pull request #186 from HotCakeX/Document-updates

Updated documentations

Wiki posts/Harden‐Windows‐Security‐Module/Harden‐Windows‐Security‐Module.md

@@ -124,7 +124,7 @@ Protect-WindowsSecurity [-Categories <String[]>] [-Log] [-Offline] [<CommonParam
 ### 8 Optional Parameters
 
 * `-Categories`: Specify the hardening categories that you want to apply. This will tell the module to operate in non-interactive or headless/silent mode which won't ask for confirmation before running each selected categories. You can specify multiple categories by separating them with a comma. If you don't specify any category, the cmdlet will run in interactive mode. **Use this parameter for deployments at a large scale.** If a selected category requires Administrator privileges and the module is running with Standard privileges, that category is skipped.
-   * This parameter has automatic tab completion. You can press the `Tab` key to see the available categories.
+    * This parameter has automatic tab completion. You can press the `Tab` key to see the available categories.
 
 * `-Verbose`: Shows verbose messages on the console about what the cmdlet is doing.
 

Wiki posts/Miscellaneous/BitLocker, TPM and Pluton What Are They and How Do They Work.md

@@ -44,6 +44,25 @@ I can guarantee breach into any operating system that has an unencrypted disk, a
 
 BitLocker is a transparent drive encryption technology operating below the file system level and BitLocker encrypted disks always remain encrypted even after Windows Hello authentication and unlocking the OS.
 
+<br>
+
+## How Do The BitLocker Key Protectors Work?
+
+BitLocker key protectors safeguard the encryption key, which encrypts and decrypts the data on the disk. BitLocker provides various key protectors and allows using multiple key protectors simultaneously. However, some key protectors must be combined with other key protectors to attain the required level of security.
+
+Suppose you want your BitLocker encrypted drive to demand a PIN at Startup, need TPM for verification, and also necessitate a USB flash drive to be plugged in. In [this document](https://learn.microsoft.com/en-us/powershell/module/bitlocker/add-bitlockerkeyprotector), you can see there is a `-StartupKeyProtector` option for the USB flash drive, `-TPMProtector` option for TPM, and a `-Pin` option for the PIN.
+
+Using those parameters individually will not mandate all 3 key protectors to be used concurrently. It will only oblige one of them to be used. So you will have to either enter the PIN, have the disk connected to the same computer (TPM) or have the USB flash drive plugged in, but all 3 of them are not enforced.
+
+If you want to enforce a multifactor authentication, you need to use the following command
+
+```powershell
+Add-BitLockerKeyProtector -MountPoint C: -TpmAndPinAndStartupKeyProtector
+```
+
+This time, all 3 key protectors are essential to unlock the drive. You will have to enter the PIN, have the disk connected to the same computer (TPM), and have the USB flash drive plugged in.
+
+
 <br>
 
 ## Pluton, The Ultimate Security Chip

Wiki posts/Miscellaneous/Device Guard and Virtualization Based Security in Windows.md

@@ -85,3 +85,9 @@ The only way to disable UEFI locked security measures is to have physical access
 </ol>
 
 <br>
+
+## Additional Resources
+
+* [Memory integrity and VBS enablement](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement)
+
+<br>

Wiki posts/WDACConfig Module Main/Build-WDACCertificate.md

@@ -14,7 +14,7 @@ This cmdlet constructs self-signed certificates that adhere to [Microsoft's spec
 The generated certificates type is Code Signing, they employ `SHA2-512` hashing algorithm with `RSA 4096-bit` encryption (the maximum supported key size for WDAC signing.)
 
 Upon constructing a certificate, the cmdlet stores it in the Current User's personal store, then it exports that certificate in 2 files. One of the files has a `.cer` extension and encompasses only the public key, the other file has a `.pfx` extension and encompasses both public and private keys. The PFX file is encrypted with `SHA-256` encryption and safeguarded with the password supplied by the user. After the 2 files are exported, the cmdlet eliminates the certificate from Current Users personal store and then re-imports it using the PFX file, but this time it will store the private key using [VSM](https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm) (Virtual Secure Mode). In this method, the private keys are stored in the TPM and are highly secured with [VBS](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) (Virtualized-Based Security). The entire process happens in just few seconds.
-
+https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement
 <br>
 
 ### 5 Optional Parameters
@@ -37,5 +37,30 @@ Upon constructing a certificate, the cmdlet stores it in the Current User's pers
 * [Local Machine and Current User Certificate Stores](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores)
 * [Trusted Root Certification Authorities Certificate Store](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/trusted-root-certification-authorities-certificate-store)
 * [X509BasicConstraintsExtension Class](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509basicconstraintsextension)
+* [Internet X.509 Public Key Infrastructure Certificate and CRL Profile - RFC2459](https://www.rfc-editor.org/rfc/rfc2459)
+
+<br>
+
+## Additional Resources
+
+To enhance the security and safeguarding of your certificate further, you can remove the certificate from the Personal store of the Current User certificates and then utilize the PFX file to import it anew in the same location, but this time you will mark additional boxes in the import wizard.
+
+This video illustrates how to safeguard the Code Signing Certificate generated by the WDACConfig module, so that you will be compelled to either enter your security password or verify your identity every time the certificate is employed. By storing the certificate in this manner, only your user account will have access to it, and you will inherently possess administrator privileges to implement the signed WDAC policy on the system.
+
+These options are only accessible in GUI and they are to deter automatic scripts from utilizing the certificates without authentication, this is why the `Build-WDACCertificate` cmdlet does not activate this security feature by default.
+
+<br>
+
+<div align="center">
+<a href="https://www.youtube.com/watch?v=nrRiAJt-_6E">
+<img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/How%20to%20safely%20store%20the%20WDAC%20Code%20Signing%20Certificate%20in%20Windows%20-%20WDACConfig%20module%20thumbnail.gif" alt="How to safely store the WDAC Code Signing Certificate in Windows WDACConfig module thumbnail" width="700">
+</a>
+</div>
+
+<br>
+
+## HSM (Hardware Security Module)
+
+The most secure method of storing code signing certificates is to use a hardware security module (HSM) or a similar device. Furthermore, obtaining certificates from a regulated or publicly trusted certificate authority (CA) requires the use of an HSM. The HSMs must also comply with the Federal Information Processing Standards (FIPS).
 
 <br>

Wiki posts/Windows Defender Application Control (WDAC)/WDAC policy for BYOVD Kernel mode only protection.md

@@ -4,8 +4,8 @@ This scenario involves removing the trust to any Kernel mode driver, whether the
 
 Drivers can access the Kernel which is the core of the operating system. Microsoft requires all drivers to be digitally signed:
 
-* Kernel mode Hardware drivers **need** to be signed with an **EV (Extended Validation)** certificate
-* Kernel mode virtual drivers **can** be signed with a standard certificate as well
+* Kernel mode Hardware drivers **need** to be signed with an EV (Extended Validation) certificate.
+* Kernel mode Virtual drivers (such as virtual network adapters) **can** be signed with a non-EV certificate.
 
 A BYOVD (Bring Your Own Vulnerable Driver) scenario involves exploiting one of the digitally signed drivers that harbors a security flaw to attain direct access to the core of the OS. **This attack vector applies to all OSes, not just Windows.**
 
@@ -56,7 +56,6 @@ EV certificates cost more than regular code signing certificates, they require t
 
 Sometimes the issuing CA also needs you to send in your driver's license and a picture of you holding it, but things like extended background checks, criminal history check, nationality check, or [the proper checks explained in here](https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc-high-and-dod#background-screening) are not performed.
 
-
 <br>
 
 <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line">
@@ -321,6 +320,10 @@ Now the Allow all rules that exist in the first policy are neutralized. [Only ap
 
 <br>
 
+<img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line">
+
+<br>
+
 ## What About User-mode Binaries?
 
 So far, we've only been doing Kernel-mode administration. We can use User-mode WDAC policies as well.
@@ -347,6 +350,19 @@ Each of the deployed policies (except for the automatically deployed block rules
 
 <br>
 
+## About ELAM (Early Launch Anti-Malware)
+
+Anti-malware or antivirus vendors need to sign enforceable and binding legal agreements and develop an early launched anti-malware driver that Microsoft will sign. This driver includes a list of certificate hashes that enable that AV vendor to sign new versions without Microsoft’s involvement each time. When code integrity loads this ELAM driver, it permits any executables signed by the certificates in that list to run as anti-malware light.
+
+* [Early Launch Anti-Malware Driver Sample](https://github.com/Microsoft/Windows-driver-samples/tree/main/security/elam)
+* [ELAM Driver Requirements](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/elam-driver-requirements)
+
+<br>
+
+<img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line">
+
+<br>
+
 ## <img width="65" src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/arrow-pink.gif" alt="Gif indicating Continue reading about important WDAC notes"> [Continue reading about important WDAC notes](#-continue-reading-about-important-wdac-notes)
 
 #### [Important Notes and Tips](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Notes) about WDAC policies