Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden Windows Security Module v0.3.6 #221

Merged
merged 45 commits into from
Apr 3, 2024
Merged

Harden Windows Security Module v0.3.6 #221

merged 45 commits into from
Apr 3, 2024

Conversation

HotCakeX
Copy link
Owner

@HotCakeX HotCakeX commented Mar 24, 2024
edited
Loading

What's New

Microsoft Defender for Endpoint - Advanced Hunting

You can now use the WDACConfig module to convert the Microsoft Defender for Endpoint (MDE) Advanced Hunting query results directly to Application Control policy (WDAC) policy in a matter of seconds with high precision and performance.

Demo Video

MDE AH Demo

The systematic approach to converting the query results to WDAC policy is as follows:

  • If a file is unsigned then a hash rule will be created for it.
  • If a file is signed then there are multiple possibilities:
    • If the file is signed and the MDE AH results contain the file's version as well as at least one of the following file attributes (Original Name, Internal Name, Description, Product Name), then a File Publisher rule will be created for it.
    • If the file is signed but the file attributes are not present in the results, Publisher level rule will be created for it.

These levels are selected based on their security. You can read more about the levels security comparison in this article.


Simple Yet Comprehensive

What WDACConfig requires for MDE Advanced Hunting

DeviceEvents
| where ActionType startswith "AppControlCodeIntegrity"
    or ActionType startswith "AppControlCIScriptBlocked"
    or ActionType startswith "AppControlCIScriptAudited"

As you can see, the WDACConfig module encapsulates all requisite logic, enabling the employment of heightened security levels for files, notably the FilePublisher. It assimilates comprehensive data, utilizing the maximum extent of available information to formulate the most precise and tailored rule for each individual file.


Comparison

Supported Features WDACConfig WDAC Wizard
Log types Code Integrity + AppLocker Code Integrity
Generated Rules File Publisher, Publisher, Leaf Certificate, Hash Publisher, Hash
Requires Custom CSV Formatting No - Accepts RAW data Yes
Required Query Size Small Large

Other Changes

@HotCakeX HotCakeX added the Enhancement 💯 New feature or request label Mar 24, 2024
@HotCakeX HotCakeX self-assigned this Mar 24, 2024
@HotCakeX
Merge branch 'main' into Harden-Windows-Security-Module-v0.3.6
73d2183
@HotCakeX
Implemented the GUI
cdd2d92
@HotCakeX
Adding the GUI code to the script
78e2987
@HotCakeX
Updated GUI
80c87ed
@HotCakeX
Improved the tabs
e69c3af
@HotCakeX
Improved the GUI and subcategories
9d00213
@HotCakeX
Update Protect-WindowsSecurity.psm1
bcfec13
@HotCakeX
Updated function name to be approved verb
8b40497
@HotCakeX
getting rid of trailing whitespaces
c073f19
@HotCakeX
Fixed sub-category detection
7550fdd
@HotCakeX
Added logger to the GUI
f20100b
@HotCakeX
Merge branch 'main' into Harden-Windows-Security-Module-v0.3.6
ed2f810
@HotCakeX
Improved UI elements availability
14cf711
@HotCakeX
param fix
9e88c90
@HotCakeX
Improved GUI style
b18d8da
@HotCakeX
Added logic for offline mode files handling
c928183
@HotCakeX
Requirements check happens before GUI load
d3b1aa8
@HotCakeX
Implemented offline mode handling
1266fd8
@HotCakeX
Fixed variable scopes during offline mode
f863816
@HotCakeX
Improved downloads jobs for online mode
c8ed211
@HotCakeX
version update
047b785
@HotCakeX
updated module manifest
d8d645e
@HotCakeX
Improved button event handling based on Admin priv
66490c9
@HotCakeX
added generic title to the file picker
7443be1
@HotCakeX
Added title to the log file path picker
b0e6408
@HotCakeX
Added file picker GUI to the LogPath dyn param
0397e59
@HotCakeX
Added more details to the log file header
51ed786
@HotCakeX
Added the changes to the script from the module
94b620f
@HotCakeX
removed unnecessary param info
345a36a
@HotCakeX
Improved log header and button border
19b591e
@HotCakeX
Improved UI for when Offline mode is not enabled
44cbe4a
@HotCakeX
improved comments
76364c2
@HotCakeX
Dynamically changing main text box's width
7b451b2 
based on window max width in real time
@HotCakeX
Update Protect-WindowsSecurity.psm1
de1f25e
@HotCakeX
Updated the root script
2f53504
@HotCakeX
Added examples for the GUI to the function helps
e18ce3e
@HotCakeX
Updated module manifest
47bf3b5
@HotCakeX
Changing the path for demo video, will revert back
84c4b64 
This is just temporarily for when recording video, will revert it back in the next commit
@HotCakeX
temporary change for video demo
4935760
@HotCakeX
Added extra verbose messages
17fa2cb
@HotCakeX
Added verbose messages
54f5938
@HotCakeX
empty line removal
9517613
@HotCakeX
Reverted the demo related changes
c0d672f
@HotCakeX HotCakeX merged commit fd6c587 into main Apr 3, 2024
2 checks passed
@HotCakeX HotCakeX deleted the Harden-Windows-Security-Module-v0.3.6 branch April 3, 2024 20:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@HotCakeX HotCakeX

Labels
Enhancement 💯 New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@HotCakeX