Created
March 22, 2024 01:38
-
-
Save bohops/bd763d87187b79c0c749da6be7be8a42 to your computer and use it in GitHub Desktop.
Restrictive WDAC Policy for research purposes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host " | |
| ============================================================================================================================== | |
| *Quickly Deploy an Enforced Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI) | |
| *Focus: Permit Windows signed applications (e.g. what comes with the OS). | |
| *For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with the Default Enforced Rules | |
| *System reboots when PowerShell script finishes | |
| *Run as a privileged user in high integrity | |
| *To remove enforcement, comment out enforce line | |
| ============================================================================================================================== | |
| [*] Press any key to continue | |
| " | |
| [Console]::ReadKey() | Out-Null | |
| # Download Block Rules Page: | |
| $blockPage = Invoke-WebRequest -Uri https://raw.githubusercontent.com/MicrosoftDocs/windows-itpro-docs/0008c5fb3b4fa93b22adc5393d77e463c46a8265/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md | |
| # Get Block Rules Policy: | |
| $blockRules = $blockPage.RawContent -split '```xml' | |
| $blockRules = $blockRules[1] -split '```' | |
| $blockRules = $blockRules[0] | |
| # Remove Universal Allow Statements: | |
| $blockRules = $blockRules -replace ('<Allow ID="ID_ALLOW_A_1" FriendlyName="Allow Kernel Drivers" FileName="*" />', '') | |
| $blockRules = $blockRules -replace ('<Allow ID="ID_ALLOW_A_2" FriendlyName="Allow User mode components" FileName="*" />', '') | |
| $blockRules = $blockRules -replace ('<FileRuleRef RuleID="ID_ALLOW_A_1" />', '') | |
| $blockRules = $blockRules -replace ('<FileRuleRef RuleID="ID_ALLOW_A_2" />', '') | |
| $blockRules = $blockRules.Trim("`r","`n") | |
| # Save Block Rules: | |
| Set-Content -Path C:\Windows\System32\CodeIntegrity\BlockRules.xml -Value $blockRules | |
| # Merge Block Rules Policy with the Default Enforced Policy: | |
| Merge-CIPolicy -PolicyPaths C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml,C:\Windows\System32\CodeIntegrity\BlockRules.xml -OutputFilePath C:\Windows\System32\CodeIntegrity\Merged.xml | |
| # Set the Merged Policy to Enforce Rules (Delete Audit Mode): | |
| Set-RuleOption -FilePath C:\Windows\System32\CodeIntegrity\Merged.xml -Option 3 -Delete | |
| # Convert Policy to Binary Format: | |
| ConvertFrom-CIPolicy -XmlFilePath C:\Windows\System32\CodeIntegrity\Merged.xml -BinaryFilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b | |
| #Reboot the Machine | |
| Write-Host "[*] Press any key to reboot the machine" | |
| [Console]::ReadKey() | Out-Null | |
| Restart-Computer |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment