Created
October 19, 2017 19:40
-
-
Save mattifestation/0f7d54d0f72e6f85687f499d4370031a to your computer and use it in GitHub Desktop.
Device Guard/Windows Defender Application Control features additions based on schema diffs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| OptionType: | |
| * Here are the new policy rule options: | |
| * Enabled:Intelligent Security Graph Authorization | |
| * Reputation-based whitelisting. More info here: https://channel9.msdn.com/Events/Ignite/Microsoft-Ignite-Orlando-2017/BRK2080 | |
| * Enabled:Invalidate EAs on Reboot | |
| * Presumably, this refers to NTFS extended attribute caching. More info: https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea | |
| New Allow/Deny/FileAttrib Rule attributes: | |
| * InternalName | |
| * FileDescription | |
| * ProductName | |
| * These were likely added to allow for more blacklist rule options. For example, if a bypass binary doesn't have an OriginalFileName field (associated with the FileName attribute) but it has signatureable File Description, then an effective blacklist rule can be created. | |
| Schema diff: | |
| 124 <xs:enumeration value="Allowed:UMCI Debug Options"/> | |
| 125 <xs:enumeration value="Enabled:UMCI Cache Data Volumes"/> | |
| 124 <xs:enumeration value="Enabled:Intelligent Security Graph Authorization"/> | |
| 125 <xs:enumeration value="Enabled:Invalidate EAs on Reboot"/> | |
| ------------------------------------------------------------------------------------------- | |
| ------------------------------------------------------------------------------------------- | |
| 558 <xs:attribute name="InternalName" type="xs:string" use="optional" /> | |
| 559 <xs:attribute name="FileDescription" type="xs:string" use="optional" /> | |
| 560 <xs:attribute name="ProductName" type="xs:string" use="optional" /> | |
| ------------------------------------------------------------------------------------------- | |
| ------------------------------------------------------------------------------------------- | |
| 579 <xs:attribute name="InternalName" type="xs:string" use="optional" /> | |
| 580 <xs:attribute name="FileDescription" type="xs:string" use="optional" /> | |
| 581 <xs:attribute name="ProductName" type="xs:string" use="optional" /> | |
| ------------------------------------------------------------------------------------------- | |
| ------------------------------------------------------------------------------------------- | |
| 592 <xs:attribute name="FileName" type="xs:string" use="required" /> | |
| 598 <xs:attribute name="FileName" type="xs:string" use="optional" /> | |
| 599 <xs:attribute name="InternalName" type="xs:string" use="optional" /> | |
| 600 <xs:attribute name="FileDescription" type="xs:string" use="optional" /> | |
| 601 <xs:attribute name="ProductName" type="xs:string" use="optional" /> | |
| ------------------------------------------------------------------------------------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment