How to Create, Deploy and Audit WDAC (Windows Defender Application Control) Policies | WDACConfig

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to another wck video this video is about creating and deploying wck or application control policies using the wdon Fig module this is an open-source Enterprise ready Powershell module available on GitHub and Powershell Gallery you can use the wdac config module to manage wdac policies locally or create them for remote systems first I'm going to create a new base policy I'm going to choose the default Windows template which allows only the components and files that are included in Windows by default to run the command creates two policies one of them is the default Windows policy file and the other is the Microsoft recommended user mode block list which is always required to be deployed along with any base policy on the system it prevents potential bypasses of Windows Defender application control policies all of the outputs of the W Decon module are saved in the secure admin protected W.C config folder in program files since I didn't use the deploy parameter the module only created the policy XML files without deploying them on the system this is useful for when you want to deploy the policies on a remote system using InTune or other tools next I'm going to create another base policy this time I'm going to use the signed and reputable type this policy is B based on the allow Microsoft template and it includes two additional rule options the new rule options augment the policy by enabling the Microsoft intelligent security graph or isg in it isg automatically allows applications that it recognizes as having known good reputation the isg option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem now I'm just confirming that no WD policy has been deployed on the system yet because for the next step I'm going to deploy the allow Microsoft based policy on the system which will also deploy the Microsoft recommended user mode block rules the module always gets the latest user mode block rules from the official Microsoft GitHub repository [Music] oh [Music] [Music] [Applause] just quickly confirming the deployment of the policies on the system [Music] [Applause] [Music] you can use the WD config module to only deploy the Microsoft recommended user mode block rules if the block rules are already deployed on the system the module will perform an inplace upgrade by finding the already deployed policy and using its guid to deploy the new user Mode blocklist Policy this will prevent it from deploying duplicate policies on the system you can always use the verbose parameter with any of the w. config modules cm and dlet in order to see very detailed info about its background operations and see exactly what it's doing whenever you run a command [Music] [Music] [Music] he [Music] you can use the w. config module to deploy the driver's block list on the system the driver's block list are already deployed by default on Windows starting build 22 H2 but they are usually slower to update for compatibility purposes the driver's blocklist that Windows uses is usually updated twice every year but the block list itself is updated more frequently this is why the module offers this feature so you can deploy the blocklist manually or use the auto update parameter which will essentially create a scheduled task in Windows that checks for driers blocklist update every week and deploys them on the system for you automatically I'm going through the details of the scheduled task to show you what they look like [Music] you can manually trigger the schedule task to run anytime you want it usually only takes few seconds to complete you can refresh the scheduled tasks screen by pressing F5 key periodically or right clicking and selecting refresh [Music] [Music] [Music] the driver's block list has been successfully deployed on the system using the scheduled task so now it's time to check the deployed WD policies on the system and verify its deployment the version of all of the deployed policies is shown on the screen so you can see and compare them whenever they change in the future [Music] [Music] this is where the Microsoft recommended drivers block list is located on Microsoft learn website it contains the Full XML content of the policy as well as the instructions on how to use and deploy them in fact what the scheduled task that keeps it up to date on the system does is precisely based on the same instructions on this page [Music] oh [Music] the Microsoft vulnerable driver blockless section that you are seeing in the Microsoft Defender window is the one that is enabled by default in [Music] Windows you can use the w d config module to deploy policies in audit mode instead of enforced mode when a policy is deployed in audit mode it doesn't block anything instead it creates a log of the file that was run in the code Integrity operational events you can use the audit logs in a variety of ways such as using them to create a supplemental policy or using Microsoft Defender for npoint or azour Sentinel to capture audit logs of your entire fleet of endpoints and create supplemental policy based on them the w. config module can be used for these tasks and can handle them perfectly when the default Windows base policy is deployed in audit mode instead of enforced mode it creates a log of any file that is not part of the Windows operating system these are the same files that would have been blocked if the policy was deployed in enforced mode all of the policies generated by the wdac config module have their HCI set to strict which uses hypervisor protected code Integrity for improved protection against tamper and vulnerabilities now checking the deployed policies on the system again to verify the successful deployment of the audit Mode Policy [Music] [Music] this is the location of the code Integrity operational logs where the WD related events are stored [Music] [Applause] [Music] the app Locker section stores the W deck events related to audited or blocked MSI files and script [Applause] [Music] [Applause] [Music] files one of the many cmdlets of the W.C config module offers the feature where you can parse the code integrity and app Locker data and view them in a nice graphical user interface for further processing this CM deit scans the audit logs by default and since I haven't generated any audit logs after deploying the audit Mode Policy there was no logs to display the reason I'm getting the blocked screen when I try to run a program is that on this system I've deployed an audit Mode Policy and an enforced Mode Policy the enforced Mode Policy always takes priority to perform an audit for the applications there shouldn't be any competing enforced mode policies with the same scope deployed on the system if I change the type of the logs to blocked I can view the blocked events that were logged the user interface provides many information about the file such as the name version where it's located and so on if I want even more information I can use the extreme visibility parameter to view the entire available information about each logged file this highly detailed screen gives me everything I need to make an informed decision about which files I want to select in order to create a supplemental policy the process name column shows which process tried to launch the file in this case it was file explorer because I was in file explorer when I tried to launch the program's installer file file I can also see the name of the policy that generated this log as you can see the allow Microsoft policy that I had deployed earlier blocked this file from running if I remove the allow Microsoft policy which is in enforced mode then the file will be able to run and the default Windows policy which is in audit mode will log the file instead thank you so much for watching this was the demo of a more complex scenario where enforced and audit mode policies are deployed side by side it showed you the power dynamics between them and how the audit and enforced logs are generated if you have any questions or suggestions please feel free to reach out to me on GitHub I put the links in the description I'll see you in the next video bye

Info

Channel: HotCakeX

Views: 283

Rating: undefined out of 5

Keywords: WDAC, Application Control, Windows Defender, Windows, Security, Cyber Security, How To, WDACConfig, PowerShell, Microsoft

Id: JSwrfe9zYY4

Channel Id: undefined

Length: 14min 27sec (867 seconds)

Published: Tue Jun 04 2024