Created
November 26, 2017 23:23
-
-
Save mattifestation/6b117feebe4dc2faa6b7a6e40a9c500f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a temp dir in which to copy the drivers to whitelist | |
| mkdir ScanMe | |
| Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -FilterXPath '*[System[EventID=3076]]' | ForEach-Object { | |
| $DriverPath = $_.Properties[1].Value | |
| # Normalize the paths | |
| switch -Wildcard ($DriverPath) { | |
| '\Device\HarddiskVolume4\*' { $DriverPath = "C:\$($DriverPath.Replace('\Device\HarddiskVolume4\', ''))" } | |
| 'System32*' { $DriverPath = "C:\Windows\$DriverPath" } | |
| } | |
| # Copy each driver to the new directory. We'll build the new policy rules from the drivers in here. | |
| Copy-Item -Path $DriverPath -Destination ScanMe | |
| } | |
| # Get the signer info for all the | |
| $NewDrivers = Get-SystemDriver -ScanPath .\ScanMe\ -NoShadowCopy | |
| # Build policy rules based on those drivers | |
| $NewDriverRules = New-CIPolicyRule -DriverFiles $NewDrivers -Level WHQLFilePublisher -Fallback FilePublisher | |
| # Merge the original blank policy with the new one. | |
| Merge-CIPolicy -OutputFilePath WhitelistPolicyDevRound1.xml -PolicyPaths Default_Deny_All_Audit_Drivers.xml -Rules $NewDriverRules | |
| ConvertFrom-CIPolicy -XmlFilePath WhitelistPolicyDevRound1.xml -BinaryFilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment