Last active
March 9, 2023 20:46
-
-
Save wdormann/f2daf3d503306bb4a974bef6911e7ee5 to your computer and use it in GitHub Desktop.
WDAC blocking policy for Mandiant-mentioned BYOVD drivers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Audit Mode</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Advanced Boot Options Menu</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Required:Enforce Store Applications</Option> | |
| </Rule> | |
| </Rules> | |
| <!--EKUS--> | |
| <EKUs /> | |
| <!--File Rules--> | |
| <FileRules> | |
| <Deny ID="ID_DENY_D_5" FriendlyName="c:\tmp\driver7.sys Hash Sha1" Hash="87C2E547126B4EEBFA51142625B14EB4312A53CC" /> | |
| <Deny ID="ID_DENY_D_6" FriendlyName="c:\tmp\driver7.sys Hash Sha256" Hash="7FBA2584BB4FB801F322E3A63253FFAC36A76D9DC5F0A4747746B0791E2A0D0B" /> | |
| <Deny ID="ID_DENY_D_7" FriendlyName="c:\tmp\driver7.sys Hash Page Sha1" Hash="560FB13C8E78B9EA183B20783CDCA7603F87323F" /> | |
| <Deny ID="ID_DENY_D_8" FriendlyName="c:\tmp\driver7.sys Hash Page Sha256" Hash="BAD3FB7189BB70B1C6606F4FE963957C9D1E9FBD4DBF9A416F6F82AF1E4A95B4" /> | |
| <Deny ID="ID_DENY_D_9" FriendlyName="c:\tmp\ene.sys Hash Sha1" Hash="CE280412DD778CAFBE6DBB05B8CAB42E98D3AE56" /> | |
| <Deny ID="ID_DENY_D_A" FriendlyName="c:\tmp\ene.sys Hash Sha256" Hash="795E5774AEFD74200D552BF7EDE17491C254FA7A73E2A00EB0E1462F18211FF5" /> | |
| <Deny ID="ID_DENY_D_B" FriendlyName="c:\tmp\ene.sys Hash Page Sha1" Hash="6CAFC03207391464AB7E69F47228CB82539BEBDE" /> | |
| <Deny ID="ID_DENY_D_C" FriendlyName="c:\tmp\ene.sys Hash Page Sha256" Hash="3F88ABF8908108207DA38DBC9E8690B3D63DB7F856B16E9F0D3A3B389FC72561" /> | |
| <Allow ID="ID_ALLOW_A_1_1" FriendlyName="" FileName="*" /> | |
| <Allow ID="ID_ALLOW_A_2_1" FriendlyName="" FileName="*" /> | |
| </FileRules> | |
| <!--Signers--> | |
| <Signers /> | |
| <!--Driver Signing Scenarios--> | |
| <SigningScenarios> | |
| <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 03-09-2023"> | |
| <ProductSigners> | |
| <FileRulesRef> | |
| <FileRuleRef RuleID="ID_DENY_D_5" /> | |
| <FileRuleRef RuleID="ID_DENY_D_6" /> | |
| <FileRuleRef RuleID="ID_DENY_D_7" /> | |
| <FileRuleRef RuleID="ID_DENY_D_8" /> | |
| <FileRuleRef RuleID="ID_DENY_D_9" /> | |
| <FileRuleRef RuleID="ID_DENY_D_A" /> | |
| <FileRuleRef RuleID="ID_DENY_D_B" /> | |
| <FileRuleRef RuleID="ID_DENY_D_C" /> | |
| <FileRuleRef RuleID="ID_ALLOW_A_1_1" /> | |
| </FileRulesRef> | |
| </ProductSigners> | |
| </SigningScenario> | |
| <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 03-09-2023"> | |
| <ProductSigners> | |
| <FileRulesRef> | |
| <FileRuleRef RuleID="ID_ALLOW_A_2_1" /> | |
| </FileRulesRef> | |
| </ProductSigners> | |
| </SigningScenario> | |
| </SigningScenarios> | |
| <UpdatePolicySigners /> | |
| <CiSigners /> | |
| <HvciOptions>0</HvciOptions> | |
| <BasePolicyID>{6C024E7D-8728-42E8-BC62-F56D23EF58EB}</BasePolicyID> | |
| <PolicyID>{6C024E7D-8728-42E8-BC62-F56D23EF58EB}</PolicyID> | |
| </SiPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment