From 51c2a58c8461560a938dda3bd30a99c9b3e61f4f Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Tue, 26 Nov 2024 22:15:11 +0200 Subject: [PATCH] WDACConfig v0.5.0 (#417) Configured more functions to redirect them to AppControl Manager. --- WDACConfig/Utilities/Hashes.csv | 19 +- .../Core/Build-WDACCertificate.psm1 | 316 +----------------- .../Core/ConvertTo-WDACPolicy.psm1 | 19 -- .../Core/Deploy-SignedWDACConfig.psm1 | 2 +- .../Core/Edit-SignedWDACConfig.psm1 | 2 +- .../Core/Edit-WDACConfig.psm1 | 61 +--- .../Core/Get-CIPolicySetting.psm1 | 58 +--- .../Core/Get-CiFileHashes.psm1 | 32 +- .../Core/Get-CommonWDACConfig.psm1 | 11 +- .../Core/New-SupplementalWDACConfig.psm1 | 194 +---------- .../WDACConfig Module Files/WDACConfig.psd1 | 9 +- WDACConfig/version.txt | 2 +- 12 files changed, 28 insertions(+), 697 deletions(-) delete mode 100644 WDACConfig/WDACConfig Module Files/Core/ConvertTo-WDACPolicy.psm1 diff --git a/WDACConfig/Utilities/Hashes.csv b/WDACConfig/Utilities/Hashes.csv index 941022339..9749f43c2 100644 --- a/WDACConfig/Utilities/Hashes.csv +++ b/WDACConfig/Utilities/Hashes.csv @@ -1,21 +1,20 @@ "RelativePath","FileName","FileHash" ".NETAssembliesToLoad.txt",".NETAssembliesToLoad.txt","E6C32EF634D7288434F693AA0D4DE78068524F28C755412D81FAC3973F96AC82C636569FFA999F75EC2109F20961DE6B9EDBDC5A0325519B7D907CE16DCF116B" -"WDACConfig.psd1","WDACConfig.psd1","D64134CCADFAB949AFA69965A1E227D760A6A53BCD6E46D5E72500000E6767FDAA07EE8E67EFFA990371E664B3D95E0968C92657988254D8B51B86AA6E3D6575" +"WDACConfig.psd1","WDACConfig.psd1","A3C1CC3B3C3B34686718F039346D920F4085B4014F08192F35A4B77AA6C080158FC8D59CE9A7170C054697ECDF67C3A7C5860C7CC209B2990B27985E76E2389F" "WDACConfig.psm1","WDACConfig.psm1","16B41F5A4D704593D1F834C27D21138B7AF20EE76DDA050BAD04266422CAD333B6584C558E4304A32C4EE08BB54B9B005BEA12900F471F5D8517EF10B1E2F517" "Core\Assert-WDACConfigIntegrity.psm1","Assert-WDACConfigIntegrity.psm1","02A11FE01CB4599FBD77A01589B7B716EA5C5301F6BEEB59ACB1CC3CF582876F75624CAF1CB8E979919E62D3C87612DDD2DE511C44EF6F37FCECA16BFE8705CC" -"Core\Build-WDACCertificate.psm1","Build-WDACCertificate.psm1","8BBE806D2247D33957806DC1A36E0A5582733830A40929C308E5ADB8B739BF8E8AA94BDC451874ABF2A9CB657A58DBD48D6315C4B93CBDD15DE4B4884B082D73" +"Core\Build-WDACCertificate.psm1","Build-WDACCertificate.psm1","E88E5DDCFD11353B15190AE4B810E5F3BF07BADA469E0E068661FEE260894641A5769CABFB25D10D7988682644F05702D17AC2D7F439D4C419099863C61335B8" "Core\Confirm-WDACConfig.psm1","Confirm-WDACConfig.psm1","5370AC726BA397E677996088640837FA3B334794B0AB37DFBF4F530E2CB568652EB0643B8E72A9D448020D87F4C9C886B9FB137C1CA5573C0C7AC90DFC8D84B9" -"Core\ConvertTo-WDACPolicy.psm1","ConvertTo-WDACPolicy.psm1","C7F4674595201C07533D89D29476FA6FE898019046B18B33DA9987270F68DA44D54295D7F3064D6DD94D03838A71AC1AACF8C5F428AC81969D834F604BF0A497" -"Core\Deploy-SignedWDACConfig.psm1","Deploy-SignedWDACConfig.psm1","1DB200D5A570C863307D23E3221EDB87D0AA443F3B6D36198BC51B5877BC204026641CD68C4AE820EB50117FD2E3CDB98A6E52A5AA822D0F1298AFB0C601EA78" -"Core\Edit-SignedWDACConfig.psm1","Edit-SignedWDACConfig.psm1","A2C4033B43021A92EEE03508E8FD266C3C55BF5CA3945F8A777DE3971367551FA1DD8FA80961CA628FF57845214E0E5432962DF938F94D60E73FD80634496BB7" -"Core\Edit-WDACConfig.psm1","Edit-WDACConfig.psm1","6AD71EE1D0B2A24C7A32033C2AA5C9B8E2881554A5DACCC01A249F14EA334F43CDE782BD2FC6EBE9464E73630BAFAC19839C0669C018F31D3AC86B854CA93242" -"Core\Get-CiFileHashes.psm1","Get-CiFileHashes.psm1","9C3D2088BD21DDD210EEB0DB50FC6C293E5C17DD33AEEC85A32A396540267835D529EA836F450D2131D4C05025B685E7E63280C4E2BBD63555AEE0B7F06D4B23" -"Core\Get-CIPolicySetting.psm1","Get-CIPolicySetting.psm1","04C20AA9D8992D075E0019F5878B60AFC9ED44DC64593A3F22FFAF82DA232FB03B2AE0C3CCBB02C245677C8D0679B575DA76274015EEBAADC3CF46956BE8002D" -"Core\Get-CommonWDACConfig.psm1","Get-CommonWDACConfig.psm1","E2745FA18505D7F180D87A983339FF2EEBBE5D2F3546689BFA7EBEE2C97EAB2CFAB5921A24138F7BB5473FEC7C46115ECC316631C81A4DC06AC24348168E426F" +"Core\Deploy-SignedWDACConfig.psm1","Deploy-SignedWDACConfig.psm1","4EB4515618031CE96AD01D401A1C2DB2DA793D12DF4E9AF353C74E8D0C6A2F52B2345B02E28C3909A1CB142474D2D34DA5D0764F465E7AEA5898FB4D0E43317E" +"Core\Edit-SignedWDACConfig.psm1","Edit-SignedWDACConfig.psm1","D7259E2EAB39DA4E2CFA8626736B478E27444A84B414F89F4E042CB1432E801E78AE3AFF3B598FD7E4374B8A44349D5781120B5A62577ED36037A78523050CEE" +"Core\Edit-WDACConfig.psm1","Edit-WDACConfig.psm1","272C430F3B41395CC2ED1F9F98AA2F42CB04F20A39439A38F48F68868A5F9AF2D7CCED20534444C405C5EF3DD0FE3801CF618E2E20842E4C49A562EC675D6F04" +"Core\Get-CiFileHashes.psm1","Get-CiFileHashes.psm1","5EBEB6EC9CAD2DA2D06EF5BEE01B81A4F3A9210F134D23B93B7A561D04A5FC0910F18A637806C4B0ED3090B0B5310716B2E3A7DE797BD2CB6185E193132A735E" +"Core\Get-CIPolicySetting.psm1","Get-CIPolicySetting.psm1","FC9E9C022513A348FE1F4304E754130A63AA8311DBA9A4575D4D383BC8A3646B8DF3C4F544ACFCFDE4DACB9DA9B69C96AF5E1F425CD3F020ED4A259F8636E3FC" +"Core\Get-CommonWDACConfig.psm1","Get-CommonWDACConfig.psm1","04E1F447F1BA23DF70E218D16058FE93506925E95D12510EB8DA7EFC9B3F74997C76EB510766C9287996F085A5837F5FEACEB7D7C9013EAF46E0655057E8CBE6" "Core\Invoke-WDACSimulation.psm1","Invoke-WDACSimulation.psm1","5DBE7116CA923462D540006833377A80E548F85A72288CA16B88F4026BF2821EDFF5EA4C81055D43BA48153BD1197EFCE0E49923DC908B056CFD4A8045FF4049" "Core\New-DenyWDACConfig.psm1","New-DenyWDACConfig.psm1","6AB261EB5CBDCFE9F690F7F65C3D09D686042D145C6B351A4EF02D73A5588847C420B8B8AA5D67D109E3F4D1208E48FAB651EFB967D341F250EF3109021E81F9" "Core\New-KernelModeWDACConfig.psm1","New-KernelModeWDACConfig.psm1","61F200C217C66454CF0A261D75CCC56357F58C7D736A859F34D583CAE92D83866BA336602D56F164D86F7B6893A14E78F6F531A5E0B8BE4A59EC064AA4B0C4C0" -"Core\New-SupplementalWDACConfig.psm1","New-SupplementalWDACConfig.psm1","13BE2AC721FB0823473602331BAB6DBBDE55FB801B44D0690C1D083859CB4020BB7146C9B746C7A8EAF0F20551DB7E20AE3D822EB0FDFC7D9AB123B45E497C29" +"Core\New-SupplementalWDACConfig.psm1","New-SupplementalWDACConfig.psm1","4AE3A7DA015E8A4D41BC060A61B5729FE0A1A1EA5B7409ED0D127F83A4EBDAAA586EB15D4F9C843171966E1501C0FA288E3715A0959B0BEB0BB9E7FBD245A169" "Core\New-WDACConfig.psm1","New-WDACConfig.psm1","B2E00DC36B4E9ED156AB1790F77726939A1E7AB710FEFB8772F71927350B2BC7374D50B60F6AB180AC3AD1E74B0531FC76C39D747B3BE782A20705043BA0266D" "Core\Remove-CommonWDACConfig.psm1","Remove-CommonWDACConfig.psm1","56D0D122E1FD2D9EC8AFD4BF8ADF9D9FE6D88B482C452B1D44BBE14747BF2A0540A5E6E7D7F4595DD6F5876852A45B83DAC280F7A9847653E2C89F5891754333" "Core\Remove-WDACConfig.psm1","Remove-WDACConfig.psm1","E760A5345DD2C00CE5CF80D1C71FB9A8E54F4B057EC26B95F1372182848BCBB8A02F78BA34A6C57519235C88589DFBAF0E3DFB8713B55CDD5EC368F99A756F5B" diff --git a/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 b/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 index 4620dd2b1..c30f53bbf 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Build-WDACCertificate.psm1 @@ -1,317 +1,11 @@ Function Build-WDACCertificate { [CmdletBinding()] param ( - [ValidatePattern('^[a-zA-Z0-9 ]+$', ErrorMessage = 'Only use alphanumeric and space characters.')] - [Parameter(Mandatory = $false)] - [System.String]$CommonName = 'Code Signing Certificate', - - [ValidatePattern('^(?!.*[\\|/:*?"<>]).*$', ErrorMessage = 'A file name cannot contain any of the following characters \|/:*?"<>')] - [ValidateCount(1, 250)] - [Parameter(Mandatory = $false)] - [System.String]$FileName = 'Code Signing Certificate', - - [Parameter(Mandatory = $false)] - [ValidateSet('Method1', 'Method2')] - [System.String]$BuildingMethod = 'Method2', - - [Parameter(Mandatory = $false)] - [ValidateScript({ - ([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($_))).Length -ge 5 - }, ErrorMessage = 'The password must be at least 5 characters long.')] - [System.Security.SecureString]$Password, - + [Parameter(Mandatory = $false)][System.String]$CommonName = 'Code Signing Certificate', + [Parameter(Mandatory = $false)][System.String]$FileName = 'Code Signing Certificate', + [Parameter(Mandatory = $false)][System.String]$BuildingMethod = 'Method2', + [Parameter(Mandatory = $false)][System.Security.SecureString]$Password, [Parameter(Mandatory = $false)][switch]$Force ) - Begin { - [WDACConfig.LoggerInitializer]::Initialize($VerbosePreference, $DebugPreference, $Host) - Update-WDACConfigPSModule -InvocationStatement $MyInvocation.Statement - - # Define a staging area for Build-WDACCertificate cmdlet - [System.IO.DirectoryInfo]$StagingArea = Join-Path -Path ([WDACConfig.GlobalVars]::UserConfigDir) -ChildPath 'StagingArea' -AdditionalChildPath 'Build-WDACCertificate' - - # Delete it if it exists already with possible content with previous runs - if ([System.IO.Directory]::Exists($StagingArea)) { - Remove-Item -LiteralPath $StagingArea -Recurse -Force - } - - # Create the staging area for the Build-WDACCertificate cmdlet - $null = New-Item -Path $StagingArea -ItemType Directory -Force - - # If user entered a common name that is not 'Code Signing Certificate' (which is the default value) - if ($CommonName -ne 'Code Signing Certificate') { - - # If user did not select a $FileName and it's set to the default value of 'Code Signing Certificate' - if ($FileName -eq 'Code Signing Certificate') { - - # Set the $FileName to the same value as the $CommonName that the user entered for better user experience - [System.String]$FileName = $CommonName - } - } - - if (!$Password) { - - [WDACConfig.Logger]::Write('Prompting the user to enter a password for the certificate because it was not passed as a parameter.') - - do { - [System.Security.SecureString]$Password1 = $(Write-ColorfulTextWDACConfig -Color Lavender -InputText 'Enter a password for the certificate (at least 5 characters)'; Read-Host -AsSecureString) - [System.Security.SecureString]$Password2 = $(Write-ColorfulTextWDACConfig -Color Lavender -InputText 'Confirm your password for the certificate'; Read-Host -AsSecureString) - - # Compare the Passwords and make sure they match - [System.Boolean]$TheyMatch = [WDACConfig.SecureStringComparer]::Compare($Password1, $Password2) - - # If the Passwords match and they are at least 5 characters long, assign the Password to the $Password variable - if ( $TheyMatch -and ($Password1.Length -ge 5) -and ($Password2.Length -ge 5) ) { - [System.Security.SecureString]$Password = $Password1 - } - else { - Write-Host -Object 'Please ensure that the Passwords you entered match, and that they are at least 5 characters long.' -ForegroundColor red - } - } - # Repeat this process until the entered Passwords match and they are at least 5 characters long - until ( $TheyMatch -and ($Password1.Length -ge 5) -and ($Password2.Length -ge 5) ) - } - - [WDACConfig.Logger]::Write('Checking if a certificate with the same common name already exists.') - [System.Security.Cryptography.X509Certificates.X509Certificate2[]]$DuplicateCerts = foreach ($Item in (Get-ChildItem -Path 'Cert:\CurrentUser\My' -CodeSigningCert)) { - if ($Item.Subject -ieq "CN=$CommonName") { - $Item - } - } - - if ($DuplicateCerts.Count -gt 0 ) { - if ($Force -or $PSCmdlet.ShouldContinue('Remove all of them and continue with creating a new certificate?', "$($DuplicateCerts.Count) certificate(s) with the common name '$CommonName' already exist on the system.")) { - - foreach ($Cert in $DuplicateCerts) { - $Cert | Remove-Item -Force - } - - } - else { - Throw [System.Data.DuplicateNameException] 'A certificate with the same common name already exists on the system. Please remove it or choose another common name and try again.' - } - } - } - process { - - Try { - - if ($BuildingMethod -ieq 'Method1') { - - [WDACConfig.Logger]::Write('Building the certificate using Method1.') - - [System.String]$Inf = @" -[Version] -Signature="$Windows NT$" - -[NewRequest] -X500NameFlags = "CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG" -Subject = "CN=$CommonName" -KeyLength = 4096 -KeySpec = 2 -KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE" -MachineKeySet = False -ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" -RequestType = Cert -SMIME = False -Exportable = True -ExportableEncrypted = True -KeyAlgorithm = RSA -FriendlyName = "$CommonName" -HashAlgorithm = sha512 -ValidityPeriodUnits = 100 -ValidityPeriod = Years - -[Extensions] -1.3.6.1.4.1.311.21.10 = "{text}oid=1.3.6.1.5.5.7.3.3" -2.5.29.37 = "{text}1.3.6.1.5.5.7.3.3" -2.5.29.19 = {text}ca=0pathlength=0 -"@ - - # Save the INF content to a random temporary file - $Inf | Out-File -FilePath (Join-Path -Path $StagingArea -ChildPath 'CertificateCreator.inf') -Force - - # Generate a certificate request using CertReq - [System.String[]]$CertReqOutput = certreq.exe -new (Join-Path -Path $StagingArea -ChildPath 'CertificateCreator.inf') (Join-Path -Path $StagingArea -ChildPath 'CertificateCreator.req') - - #Region parse-certificate-request-output - - # Split the output by newlines and trim the whitespace - [System.String[]]$Lines = foreach ($Line in $CertReqOutput -split "`n") { - $Line.Trim() - } - - # Create a hashtable to store the parsed properties - [System.Collections.Hashtable]$Properties = @{} - - # Loop through the lines and extract the key-value pairs - foreach ($Line in $Lines) { - # Skip the first line - if ($Line -ieq 'Installed Certificate:') { - continue - } - # Check if the line has a colon - if ($Line -match ':') { - # Split the line by colon with a limit of 2 and trim the whitespace - [System.String[]]$Parts = foreach ($Item in ($Line -split ':', 2)) { - $Item.Trim() - } - - # Assign the first part as the key and the second part as the value - [System.String]$Key = $Parts[0] - [System.String]$Value = $Parts[1] - # Add the key-value pair to the hashtable - $Properties[$Key] = $Value - } - } - #Endregion parse-certificate-request-output - - # Save the thumbprint of the certificate to a variable - [System.String]$NewCertificateThumbprint = $Properties['Thumbprint'] - } - - elseif ($BuildingMethod -eq 'Method2') { - - [WDACConfig.Logger]::Write('Building the certificate using Method2.') - - # Create a hashtable of parameter names and values - [System.Collections.Hashtable]$Params = @{ - Subject = "CN=$CommonName" - FriendlyName = $CommonName - CertStoreLocation = 'Cert:\CurrentUser\My' - KeyExportPolicy = 'ExportableEncrypted' - KeyLength = '4096' - KeyAlgorithm = 'RSA' - HashAlgorithm = 'sha512' - KeySpec = 'Signature' - KeyUsage = 'DigitalSignature' - KeyUsageProperty = 'Sign' - Type = 'CodeSigningCert' - NotAfter = [System.DateTime](Get-Date).AddYears(100) - TextExtension = @('2.5.29.19={text}CA:FALSE', '2.5.29.37={text}1.3.6.1.5.5.7.3.3', '1.3.6.1.4.1.311.21.10={text}oid=1.3.6.1.5.5.7.3.3') - } - - # Pass the splatting variable to the command - [System.Security.Cryptography.X509Certificates.X509Certificate2]$NewCertificate = New-SelfSignedCertificate @params - - # Save the thumbprint of the certificate to a variable - [System.String]$NewCertificateThumbprint = $NewCertificate.Thumbprint - } - - [WDACConfig.Logger]::Write('Finding the certificate that was just created by its thumbprint') - [System.Security.Cryptography.X509Certificates.X509Certificate2]$TheCert = foreach ($Cert in (Get-ChildItem -Path 'Cert:\CurrentUser\My' -CodeSigningCert)) { - if ($Cert.Thumbprint -eq $NewCertificateThumbprint) { - $Cert - } - } - - [System.IO.FileInfo]$CertificateOutputPath = Join-Path -Path ([WDACConfig.GlobalVars]::UserConfigDir) -ChildPath "$FileName.cer" - - [WDACConfig.Logger]::Write("Exporting the certificate (public key only) to $FileName.cer") - $null = Export-Certificate -Cert $TheCert -FilePath $CertificateOutputPath -Type 'CERT' -Force - - [WDACConfig.Logger]::Write("Exporting the certificate (public and private keys) to $FileName.pfx") - $null = Export-PfxCertificate -Cert $TheCert -CryptoAlgorithmOption 'AES256_SHA256' -Password $Password -ChainOption 'BuildChain' -FilePath (Join-Path -Path ([WDACConfig.GlobalVars]::UserConfigDir) -ChildPath "$FileName.pfx") -Force - - [WDACConfig.Logger]::Write('Removing the certificate from the certificate store') - $TheCert | Remove-Item -Force - - try { - [WDACConfig.Logger]::Write('Importing the certificate to the certificate store again, this time with the private key protected by VSM (Virtual Secure Mode - Virtualization Based Security)') - $null = Import-PfxCertificate -ProtectPrivateKey 'VSM' -FilePath (Join-Path -Path ([WDACConfig.GlobalVars]::UserConfigDir) -ChildPath "$FileName.pfx") -CertStoreLocation 'Cert:\CurrentUser\My' -Password $Password - } - catch { - [WDACConfig.Logger]::Write('Importing the certificate to the certificate store again (VSM could not be be used due to lack of hardware virtualization support)') - $null = Import-PfxCertificate -FilePath (Join-Path -Path ([WDACConfig.GlobalVars]::UserConfigDir) -ChildPath "$FileName.pfx") -CertStoreLocation 'Cert:\CurrentUser\My' -Password $Password - } - - [WDACConfig.Logger]::Write('Saving the common name of the certificate to the User configurations') - $null = [WDACConfig.UserConfiguration]::Set($null, $null, $null, $CommonName, $null, $null, $null, $null, $null, $null) - - [WDACConfig.Logger]::Write('Saving the path of the .cer file of the certificate to the User configurations') - $null = [WDACConfig.UserConfiguration]::Set($null, $null, $null, $null, $CertificateOutputPath, $null, $null, $null, $null, $null) - } - catch { - throw $_ - } - Finally { - Remove-Item -LiteralPath $StagingArea -Recurse -Force - } - } - end { - Write-ColorfulTextWDACConfig -Color MintGreen -InputText "The certificate with the common name '$CommonName' has been successfully created." - } - <# -.SYNOPSIS - Builds a self-signed certificate for use with WDAC. - - All of the outputs are saved in: C:\Program Files\WDACConfig -.LINK - https://github.com/HotCakeX/Harden-Windows-Security/wiki/Build-WDACCertificate -.PARAMETER CommonName - The common name of the certificate. Defaults to 'Code Signing Certificate'. - If a certificate with the same common name already exists on the system, the user will be asked whether to automatically remove all of them and continue with creating a new certificate. - This can be automated by passing the -Force switch. - - If you enter a CommonName but do not enter a FileName, the FileName will be set to the same value as the CommonName for better user experience. -.PARAMETER FileName - The name of the certificate file. Defaults to 'Code Signing Certificate'. - Selected name should not contain any of the following characters \|/:*?"<> -.PARAMETER BuildingMethod - The method used to build the certificate. - Method1 uses CertReq.exe to build the certificate. - Method2 uses New-SelfSignedCertificate to build the certificate. -.PARAMETER Password - The password to protect the private key of the certificate, at least 5 characters long. - If not passed as a parameter, the user will be prompted to enter a password. -.PARAMETER Force - Forces the removal of any existing certificates with the same common name from the system. -.DESCRIPTION - Builds a self-signed certificate for use with WDAC that meets all of the requirements for a WDAC policy signing certificate. - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol -.NOTES - For Method1 INF creation notes: - - 2.5.29.19 = {text}ca=0pathlength=0 -> adds basic constraints to the certificate request. - X500NameFlags = "CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG" -> For setting the encoding to printable string and disabling UTF-8 encoding, required for WDAC policy signing certificate - > https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol - - For Method2 New-SelfSignedCertificate notes: - - '2.5.29.19={text}CA:FALSE' -> adds basic constraints to the certificate request to make it a non-CA and end entity certificate. - '2.5.29.37={text}1.3.6.1.5.5.7.3.3' adds the extended key usage for code signing. - '1.3.6.1.4.1.311.21.10={text}oid=1.3.6.1.5.5.7.3.3' -> adds "[1]Application Certificate Policy:Policy Identifier=Code Signing" as the value for Application Policies extension. The certificate made in CA role in Windows Server (using Code Signing template) also adds this extension. - - Get the value of the Application Policies extension - ($NewCertificate.Extensions | Where-Object -FilterScript { $_.oid.FriendlyName -eq 'Application Policies' }).Format($false) - - Use certutil -dump -v '.\codesign.cer' to view the certificate properties, such as encoding of the certificate fields like the subject - - The reason for denying to create certificates with common names that already exist in the same store and location on the system is that SignTool.exe can't determine which certificate to use - when there are multiple certificates with the same common name in the same certificate store so it would either need to randomly choose the best one (using the /a option) or ask the user to provide the SHA1 hash of the certificate to use (using the /sha1 option), which is not secure at all. - It also can create confusion for users when they have multiple certificates with the same common name in the same certificate store. -.INPUTS - System.String - System.Security.SecureString - System.Management.Automation.SwitchParameter -.OUTPUTS - System.String -.EXAMPLE - $Password = ConvertTo-SecureString -String 'hotcakex' -AsPlainText - Build-WDACCertificate -Password $Password -Verbose -Force - - This example builds a self-signed certificate for use with WDAC with the common name 'Code Signing Certificate' and the password 'hotcakex' and files named 'Code Signing Certificate.cer' and 'Code Signing Certificate.pfx'. -.EXAMPLE - Build-WDACCertificate -Password (ConvertTo-SecureString -String 'hotcakes' -AsPlainText) - - This example builds a self-signed certificate by providing the password in a different way -.EXAMPLE - $Password = ConvertTo-SecureString -String 'hotcakex' -AsPlainText - Build-WDACCertificate -Password $Password -Verbose -Force -CommonName 'My WDAC Certificate' -FileName 'My Cert' - - This example builds a self-signed certificate for use with WDAC with the common name 'My WDAC Certificate' and the password 'hotcakex' and files named 'My Cert.cer' and 'My Cert.pfx'. -.EXAMPLE - Build-WDACCertificate - - This example builds a self-signed certificate for use with WDAC with the common name 'Code Signing Certificate' and files named 'Code Signing Certificate.cer' and 'Code Signing Certificate.pfx'. - You will be prompted to enter a password. -#> + Write-Host -ForegroundColor Green -Object "This function's job has been completely added to the new AppControl Manager app. It offers a complete graphical user interface (GUI) for easy usage. Please refer to this GitHub page to see how to install and use it:`nhttps://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager" } \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Core/ConvertTo-WDACPolicy.psm1 b/WDACConfig/WDACConfig Module Files/Core/ConvertTo-WDACPolicy.psm1 deleted file mode 100644 index e39c03b87..000000000 --- a/WDACConfig/WDACConfig Module Files/Core/ConvertTo-WDACPolicy.psm1 +++ /dev/null @@ -1,19 +0,0 @@ -Function ConvertTo-WDACPolicy { - [CmdletBinding( - DefaultParameterSetName = 'All' - )] - param( - [Parameter(Mandatory = $false, ParameterSetName = 'In-Place Upgrade')] - [System.IO.FileInfo]$PolicyToAddLogsTo, - [Parameter(Mandatory = $false, ParameterSetName = 'Base-Policy File Association')] - [System.IO.FileInfo]$BasePolicyFile, - [Parameter(Mandatory = $false)][System.String]$Level = 'Auto', - [Parameter(Mandatory = $false, ParameterSetName = 'Base-Policy GUID Association')] - [Alias('BaseGUID')][System.Guid]$BasePolicyGUID, - [Parameter(Mandatory = $false)][System.String]$SuppPolicyName, - [Parameter(Mandatory = $false)][System.String]$Source = 'LocalEventLogs', - [Parameter(Mandatory = $false)][System.String[]]$FilterByPolicyNames, - [Parameter(Mandatory = $false)][System.String]$TimeSpan - ) - Write-Host -ForegroundColor Green -Object "This function's job has been completely added to the new AppControl Manager app. It offers a complete graphical user interface (GUI) for easy usage. Please refer to this GitHub page to see how to install and use it:`nhttps://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager" -} \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 index 013219865..316da54ed 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Deploy-SignedWDACConfig.psm1 @@ -57,7 +57,7 @@ Function Deploy-SignedWDACConfig { [System.IO.FileInfo]$CertPath = [WDACConfig.UserConfiguration]::Get().CertificatePath } else { - throw 'CertPath parameter cannot be empty and no valid user configuration was found for it. Use the Build-WDACCertificate cmdlet to create one.' + throw 'CertPath parameter cannot be empty and no valid user configuration was found for it.' } } diff --git a/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 index d18116d47..e0c9b5559 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Edit-SignedWDACConfig.psm1 @@ -132,7 +132,7 @@ Function Edit-SignedWDACConfig { [System.IO.FileInfo]$CertPath = [WDACConfig.UserConfiguration]::Get().CertificatePath } else { - throw 'CertPath parameter cannot be empty and no valid user configuration was found for it. Use the Build-WDACCertificate cmdlet to create one.' + throw 'CertPath parameter cannot be empty and no valid user configuration was found for it.' } } diff --git a/WDACConfig/WDACConfig Module Files/Core/Edit-WDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Edit-WDACConfig.psm1 index 0b4898f11..0ed80b9a8 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Edit-WDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Edit-WDACConfig.psm1 @@ -1,11 +1,9 @@ Function Edit-WDACConfig { [CmdletBinding( - DefaultParameterSetName = 'AllowNewApps', + DefaultParameterSetName = 'MergeSupplementalPolicies', PositionalBinding = $false )] Param( - [Alias('A')] - [Parameter(Mandatory = $false, ParameterSetName = 'AllowNewApps')][switch]$AllowNewApps, [Alias('M')] [Parameter(Mandatory = $false, ParameterSetName = 'MergeSupplementalPolicies')][switch]$MergeSupplementalPolicies, [Alias('U')] @@ -13,7 +11,6 @@ Function Edit-WDACConfig { [ValidateCount(1, 232)] [ValidatePattern('^[a-zA-Z0-9 \-]+$', ErrorMessage = 'The policy name can only contain alphanumeric, space and dash (-) characters.')] - [Parameter(Mandatory = $true, ParameterSetName = 'AllowNewApps', ValueFromPipelineByPropertyName = $true)] [Parameter(Mandatory = $true, ParameterSetName = 'MergeSupplementalPolicies', ValueFromPipelineByPropertyName = $true)] [System.String]$SuppPolicyName, @@ -22,8 +19,6 @@ Function Edit-WDACConfig { [Parameter(Mandatory = $true, ParameterSetName = 'MergeSupplementalPolicies', ValueFromPipelineByPropertyName = $true)] [System.IO.FileInfo[]]$SuppPolicyPaths, - [Parameter(Mandatory = $false, ParameterSetName = 'AllowNewApps')][switch]$BoostedSecurity, - [ArgumentCompleter([WDACConfig.ArgCompleter.XmlFilePathsPicker])] [ValidateScript({ if ([WDACConfig.PolicyFileSigningStatusDetection]::Check($_) -eq [WDACConfig.PolicyFileSigningStatusDetection+SigningStatus]::Signed) { @@ -35,35 +30,12 @@ Function Edit-WDACConfig { # Send $true to set it as valid if no errors were thrown before $true })] - [Parameter(Mandatory = $false, ParameterSetName = 'AllowNewApps', ValueFromPipelineByPropertyName = $true)] [Parameter(Mandatory = $false, ParameterSetName = 'MergeSupplementalPolicies', ValueFromPipelineByPropertyName = $true)] [System.IO.FileInfo]$PolicyPath, [Parameter(Mandatory = $false, ParameterSetName = 'MergeSupplementalPolicies')] [switch]$KeepOldSupplementalPolicies, - [ArgumentCompleter({ [WDACConfig.ScanLevelz]::New().GetValidValues() })] - [parameter(Mandatory = $false, ParameterSetName = 'AllowNewApps')] - [System.String]$Level = 'WHQLFilePublisher', - - [ArgumentCompleter({ [WDACConfig.ScanLevelz]::New().GetValidValues() })] - [parameter(Mandatory = $false, ParameterSetName = 'AllowNewApps')] - [System.String[]]$Fallbacks = ('FilePublisher', 'Hash'), - - [parameter(Mandatory = $false, ParameterSetName = 'AllowNewApps')] - [switch]$NoScript, - - [parameter(Mandatory = $false, ParameterSetName = 'AllowNewApps')] - [switch]$NoUserPEs, - - [ValidateSet('OriginalFileName', 'InternalName', 'FileDescription', 'ProductName', 'PackageFamilyName', 'FilePath')] - [parameter(Mandatory = $false, ParameterSetName = 'AllowNewApps')] - [System.String]$SpecificFileNameLevel, - - [ValidateRange(1024KB, 18014398509481983KB)] - [parameter(Mandatory = $false, ParameterSetName = 'AllowNewApps')] - [System.UInt64]$LogSize, - [ArgumentCompleter({ foreach ($Item in [WDACConfig.BasePolicyNamez]::New().GetValidValues()) { if ($Item.Contains(' ')) { @@ -102,7 +74,7 @@ Function Edit-WDACConfig { #Region User-Configurations-Processing-Validation # make sure the ParameterSet being used has PolicyPath parameter - Then enforces "mandatory" attribute for the parameter - if ($PSCmdlet.ParameterSetName -in 'AllowNewApps', 'MergeSupplementalPolicies') { + if ($PSCmdlet.ParameterSetName -in 'MergeSupplementalPolicies') { # If PolicyPath was not provided by user, check if a valid value exists in user configs, if so, use it, otherwise throw an error if (!$PolicyPath) { if ([System.IO.File]::Exists(([WDACConfig.UserConfiguration]::Get().UnsignedPolicyPath))) { @@ -130,15 +102,8 @@ Function Edit-WDACConfig { } } } - process { - try { - - if ($AllowNewApps) { - Write-Host -ForegroundColor Green -Object "This parameter's job has been completely added to the new AppControl Manager app. It offers a complete graphical user interface (GUI) for easy usage. Please refer to this GitHub page to see how to install and use it:`nhttps://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager" - } - if ($MergeSupplementalPolicies) { # The total number of the main steps for the progress bar to render @@ -379,24 +344,10 @@ Function Edit-WDACConfig { This cmdlet offers various options for managing the deployed Application Control (WDAC) policies. .LINK https://github.com/HotCakeX/Harden-Windows-Security/wiki/Edit-WDACConfig -.PARAMETER AllowNewApps - While an unsigned WDAC policy is already deployed on the system, rebootlessly turn on Audit mode in it, which will allow you to install a new app that was otherwise getting blocked. - This parameter also scans the Code Integrity and AppLocker logs during the audit mode phase to detect the audited files. - It has the ability to detect and create rules for kernel-protected files, such as the main executables of the Xbox games. .PARAMETER MergeSupplementalPolicies Merges multiple deployed supplemental policies into 1 single supplemental policy, removes the old ones, deploys the new one. .PARAMETER UpdateBasePolicy It can rebootlessly change the type of the deployed base policy. -.PARAMETER Level - The level that determines how the selected folder will be scanned. - The default value for it is WHQLFilePublisher. -.PARAMETER Fallbacks - The fallback level(s) that determine how the selected folder will be scanned. - The default value for it is (FilePublisher, Hash). -.PARAMETER LogSize - The log size to set for Code Integrity/Operational event logs - The accepted values are between 1024 KB and 18014398509481983 KB - The max range is the maximum allowed log size by Windows Event viewer .PARAMETER SuppPolicyName The name of the Supplemental policy that will be created .PARAMETER PolicyPath @@ -405,14 +356,6 @@ Function Edit-WDACConfig { The path(s) to the Supplemental policy XML file(s) that will be used in the merge operation. .PARAMETER KeepOldSupplementalPolicies Keep the old Supplemental policies that are going to be merged into a single policy -.PARAMETER NoScript - If specified, scripts will not be scanned -.PARAMETER BoostedSecurity - If specified, reinforced rules will be created that offer pseudo-sandbox capabilities -.PARAMETER NoUserPEs - If specified, user mode binaries will not be scanned -.PARAMETER SpecificFileNameLevel - The more specific level that determines how the selected file will be scanned. .PARAMETER CurrentBasePolicyName The name of the currently deployed base policy that will be used .PARAMETER NewBasePolicyType diff --git a/WDACConfig/WDACConfig Module Files/Core/Get-CIPolicySetting.psm1 b/WDACConfig/WDACConfig Module Files/Core/Get-CIPolicySetting.psm1 index 04b7f3636..14d0bc3b1 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Get-CIPolicySetting.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Get-CIPolicySetting.psm1 @@ -5,61 +5,5 @@ Function Get-CIPolicySetting { [Parameter(Mandatory = $true)][System.String]$Key, [Parameter(Mandatory = $true)][System.String]$ValueName ) - [WDACConfig.LoggerInitializer]::Initialize($VerbosePreference, $DebugPreference, $Host) - Update-WDACConfigPSModule -InvocationStatement $MyInvocation.Statement - [WDACConfig.GetCIPolicySetting]::Invoke($Provider, $Key, $ValueName) - <# -.SYNOPSIS - Gets the secure settings value from the deployed CI policies. - If there is a policy with the same provider, key and value then it returns the following details: - - Value = The actual value of the string - ValueType = The type of setting: WldpString, WldpInteger or WldpBoolean - ValueSize = the size of the returned value - Status = True/False depending on whether the setting exists on the system or not - StatusCode = 0 if the value exists on the system, non-zero if it doesn't. -.DESCRIPTION - Please use the following resources for more information - https://learn.microsoft.com/en-us/powershell/module/configci/set-cipolicysetting - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings -.LINK - https://github.com/HotCakeX/Harden-Windows-Security/wiki/Get-CIPolicySetting -.INPUTS - System.String -.OUTPUTS - WDACConfig.SecurePolicySetting -.PARAMETER Provider - The provider of the secure setting -.PARAMETER Key - The key of the secure setting -.PARAMETER ValueName - The name of the secure setting -.EXAMPLE - Creating the secure settings in a Code Integrity policy - Set-CIPolicySetting -FilePath 'Policy.xml' -Provider 'WDACConfig' -ValueType 'Boolean' -Value '1' -ValueName 'IsUserModePolicy' -Key '{4a981f19-1f7f-4167-b4a6-915765e34fd6}' -.EXAMPLE - Creating the secure settings in a Code Integrity policy - Set-CIPolicySetting -FilePath 'Policy.xml' -Provider 'SomeProvider' -ValueType 'String' -Value 'HotCakeX' -ValueName 'Author' -Key '{495e96a3-f6e0-4e7e-bf48-e8b6085b824a}' -.EXAMPLE - Creating the secure settings in a Code Integrity policy - Set-CIPolicySetting -FilePath 'Policy.xml' -Provider 'Provider2' -ValueType 'DWord' -Value '66' -ValueName 'Role' -Key '{741b1fcf-e1ce-49e4-a274-5c367b46b00c}' -.EXAMPLE - Using the Get-CIPolicySetting cmdlet to query the secure strings among the deployed policies on the system. - Get-CIPolicySetting -Provider 'WDACConfig' -Key '{4a981f19-1f7f-4167-b4a6-915765e34fd6}' -ValueName 'IsUserModePolicy' -.EXAMPLE - Using the Get-CIPolicySetting cmdlet to query the secure strings among the deployed policies on the system. - Get-CIPolicySetting -Provider 'SomeProvider' -ValueName 'Author' -Key '{495e96a3-f6e0-4e7e-bf48-e8b6085b824a}' -.EXAMPLE - Using the Get-CIPolicySetting cmdlet to query the secure strings among the deployed policies on the system. - Get-CIPolicySetting -Provider 'Provider2' -ValueName 'Role' -Key '{741b1fcf-e1ce-49e4-a274-5c367b46b00c}' -.NOTES - Note-1 - Since these settings are secured by Secure Boot, in order to successfully query these settings, you might need to restart once after deploying the CI Policy on the system. - - Note-2 - DWord value is the same as integer or WldpInteger - - Note-3 - In order to set a Boolean value using the Set-CIPolicySetting cmdlet, you need to use 1 for True or 0 for False, that will create a valid policy XML file that is compliant with the CI Policy Schema. - #> + Write-Host -ForegroundColor Green -Object "This function's job has been completely added to the new AppControl Manager app. It offers a complete graphical user interface (GUI) for easy usage. Please refer to this GitHub page to see how to install and use it:`nhttps://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager" } \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Core/Get-CiFileHashes.psm1 b/WDACConfig/WDACConfig Module Files/Core/Get-CiFileHashes.psm1 index 1bb5a44dd..e3a500af0 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Get-CiFileHashes.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Get-CiFileHashes.psm1 @@ -1,34 +1,6 @@ Function Get-CiFileHashes { - [CmdletBinding()] param ( - [ArgumentCompleter([WDACConfig.ArgCompleter.AnyFilePathsPicker])] - [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] - [System.IO.FileInfo]$FilePath + [Parameter(Mandatory = $false)][System.IO.FileInfo]$FilePath ) - [WDACConfig.LoggerInitializer]::Initialize($VerbosePreference, $DebugPreference, $Host) - Update-WDACConfigPSModule -InvocationStatement $MyInvocation.Statement - return [WDACConfig.CiFileHash]::GetCiFileHashes($FilePath) - <# -.SYNOPSIS - Calculates the Authenticode hash and first page hash of the PEs with SHA1 and SHA256 algorithms. - The hashes are compliant with the App Control for Business policy. - For more information please visit: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create#more-information-about-hashes -.LINK - https://github.com/HotCakeX/Harden-Windows-Security/wiki/Get-CiFileHashes -.PARAMETER Path - The path to the file for which the hashes are to be calculated. -.INPUTS - System.IO.FileInfo -.OUTPUTS - [WDACConfig.CodeIntegrityHashes] - - The output has the following properties - - SHA1Page: The SHA1 hash of the first page of the PE file. - - SHA256Page: The SHA256 hash of the first page of the PE file. - - SHA1Authenticode: The SHA1 hash of the Authenticode signature of the PE file. - - SHA256Authenticode: The SHA256 hash of the Authenticode signature of the PE file. -.NOTES - If the is non-conformant, the function will calculate the flat hash of the file using the specified hash algorithm - And return them as the Authenticode hashes. This is compliant with how the WDAC engine in Windows works. -#> + Write-Host -ForegroundColor Green -Object "This function's job has been completely added to the new AppControl Manager app. It offers a complete graphical user interface (GUI) for easy usage. Please refer to this GitHub page to see how to install and use it:`nhttps://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager" } \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 index e02288c86..ea0e1b7b3 100644 --- a/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/Get-CommonWDACConfig.psm1 @@ -1,12 +1,3 @@ Function Get-CommonWDACConfig { - [WDACConfig.LoggerInitializer]::Initialize($VerbosePreference, $DebugPreference, $Host) - [WDACConfig.UserConfiguration]::Get() - <# -.SYNOPSIS - Query and Read common values for parameters used by WDACConfig module -.LINK - https://github.com/HotCakeX/Harden-Windows-Security/wiki/Get-CommonWDACConfig -.DESCRIPTION - Reads and gets the values from the User Config JSON file. -#> + Write-Host -ForegroundColor Green -Object "This function's job has been completely added to the new AppControl Manager app. It offers a complete graphical user interface (GUI) for easy usage. Please refer to this GitHub page to see how to install and use it:`nhttps://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager" } \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/Core/New-SupplementalWDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/Core/New-SupplementalWDACConfig.psm1 index 3fed59d7f..659d0ee4e 100644 --- a/WDACConfig/WDACConfig Module Files/Core/New-SupplementalWDACConfig.psm1 +++ b/WDACConfig/WDACConfig Module Files/Core/New-SupplementalWDACConfig.psm1 @@ -1,34 +1,19 @@ Function New-SupplementalWDACConfig { [CmdletBinding( - DefaultParameterSetName = 'Normal', + DefaultParameterSetName = 'Folder Path With WildCards', PositionalBinding = $false, SupportsShouldProcess = $true, ConfirmImpact = 'High' )] Param( - [Alias('N')][Parameter(Mandatory = $false, ParameterSetName = 'Normal')][switch]$Normal, [Alias('W')][Parameter(Mandatory = $false, ParameterSetName = 'Folder Path With WildCards')][switch]$PathWildCards, [Alias('P')][parameter(mandatory = $false, ParameterSetName = 'Installed AppXPackages')][switch]$InstalledAppXPackages, - [Alias('C')][Parameter(Mandatory = $false, ParameterSetName = 'Certificate')][switch]$Certificates, - - [parameter(Mandatory = $true, ParameterSetName = 'Installed AppXPackages', ValueFromPipelineByPropertyName = $true)] - [System.String]$PackageName, - - [ArgumentCompleter([WDACConfig.ArgCompleter.FolderPicker])] - [ValidateScript({ [System.IO.Directory]::Exists($_) }, ErrorMessage = 'The path you selected is not a folder path.')] - [parameter(Mandatory = $true, ParameterSetName = 'Normal', ValueFromPipelineByPropertyName = $true)] - [System.IO.DirectoryInfo]$ScanLocation, - + [parameter(Mandatory = $true, ParameterSetName = 'Installed AppXPackages')][System.String]$PackageName, [ArgumentCompleter([WDACConfig.ArgCompleter.FolderPickerWithWildcard])] [ValidatePattern('\*', ErrorMessage = 'You did not supply a path that contains wildcard character (*) .')] [parameter(Mandatory = $true, ParameterSetName = 'Folder Path With WildCards', ValueFromPipelineByPropertyName = $true)] [System.IO.DirectoryInfo]$FolderPath, - [ArgumentCompleter([WDACConfig.ArgCompleter.MultipleCerFilePicker])] - [ValidateScript({ [System.IO.File]::Exists($_) }, ErrorMessage = 'The path you selected is not a file path.')] - [parameter(Mandatory = $true, ParameterSetName = 'Certificate', ValueFromPipelineByPropertyName = $true)] - [System.IO.FileInfo[]]$CertificatePaths, - [ValidateCount(1, 232)] [ValidatePattern('^[a-zA-Z0-9 \-]+$', ErrorMessage = 'The policy name can only contain alphanumeric, space and dash (-) characters.')] [parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] @@ -40,29 +25,7 @@ Function New-SupplementalWDACConfig { [System.IO.FileInfo]$PolicyPath, [parameter(Mandatory = $false)][switch]$Deploy, - - [ValidateSet('OriginalFileName', 'InternalName', 'FileDescription', 'ProductName', 'PackageFamilyName', 'FilePath')] - [Parameter(Mandatory = $false, ParameterSetName = 'Normal')] - [System.String]$SpecificFileNameLevel, - - [Parameter(Mandatory = $false, ParameterSetName = 'Normal')][switch]$NoUserPEs, - - [Parameter(Mandatory = $false, ParameterSetName = 'Normal')][switch]$NoScript, - - [ArgumentCompleter({ [WDACConfig.ScanLevelz]::New().GetValidValues() })] - [parameter(Mandatory = $false, ParameterSetName = 'Normal')] - [System.String]$Level = 'WHQLFilePublisher', - - [ArgumentCompleter({ [WDACConfig.ScanLevelz]::New().GetValidValues() })] - [parameter(Mandatory = $false, ParameterSetName = 'Normal')] - [System.String[]]$Fallbacks = ('FilePublisher', 'Hash'), - - [Parameter(Mandatory = $false, ParameterSetName = 'Installed AppXPackages')] - [switch]$Force, - - [ValidateSet('UserMode', 'KernelMode')] - [parameter(Mandatory = $false, ParameterSetName = 'Certificate')] - [System.String]$SigningScenario = 'UserMode' + [Parameter(Mandatory = $false, ParameterSetName = 'Installed AppXPackages')][switch]$Force ) Begin { [WDACConfig.LoggerInitializer]::Initialize($VerbosePreference, $DebugPreference, $Host) @@ -112,62 +75,6 @@ Function New-SupplementalWDACConfig { process { try { - - if ($PSBoundParameters['Normal']) { - - # The total number of the main steps for the progress bar to render - $TotalSteps = $Deploy ? 3us : 2us - $CurrentStep = 0us - - $CurrentStep++ - Write-Progress -Id 19 -Activity 'Processing user selected folders' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) - - [WDACConfig.Logger]::Write('Processing Program Folder From User input') - # Creating a hash table to dynamically add parameters based on user input and pass them to New-Cipolicy cmdlet - [System.Collections.Hashtable]$PolicyMakerHashTable = @{ - FilePath = $FinalSupplementalPath - ScanPath = $ScanLocation - Level = $Level - Fallback = $Fallbacks - MultiplePolicyFormat = $true - UserWriteablePaths = $true - AllowFileNameFallbacks = $true - } - # Assess user input parameters and add the required parameters to the hash table - if ($SpecificFileNameLevel) { $PolicyMakerHashTable['SpecificFileNameLevel'] = $SpecificFileNameLevel } - if ($NoScript) { $PolicyMakerHashTable['NoScript'] = $true } - if (!$NoUserPEs) { $PolicyMakerHashTable['UserPEs'] = $true } - - Write-ColorfulTextWDACConfig -Color HotPink -InputText 'Generating Supplemental policy with the following specifications:' - $PolicyMakerHashTable - Write-Host -Object '' - - # Create the supplemental policy via parameter splatting - New-CIPolicy @PolicyMakerHashTable - - $CurrentStep++ - Write-Progress -Id 19 -Activity 'Configuring the Supplemental policy' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) - - [WDACConfig.Logger]::Write('Changing the policy type from base to Supplemental, assigning its name and resetting its policy ID') - $null = [WDACConfig.SetCiPolicyInfo]::Set($FinalSupplementalPath, $true, "$SuppPolicyName - $(Get-Date -Format 'MM-dd-yyyy')", $null, $PolicyPath) - - [WDACConfig.SetCiPolicyInfo]::Set($FinalSupplementalPath, ([version]'1.0.0.0')) - - [WDACConfig.CiRuleOptions]::Set($FinalSupplementalPath, [WDACConfig.CiRuleOptions+PolicyTemplate]::Supplemental, $null, $null, $null, $null, $null, $null, $null, $null, $null) - - [WDACConfig.Logger]::Write('Converting the Supplemental policy XML file to a CIP file') - $null = ConvertFrom-CIPolicy -XmlFilePath $FinalSupplementalPath -BinaryFilePath $FinalSupplementalCIPPath - - if ($Deploy) { - $CurrentStep++ - Write-Progress -Id 19 -Activity 'Deploying the Supplemental policy' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) - - [WDACConfig.CiToolHelper]::UpdatePolicy($FinalSupplementalCIPPath) - Write-ColorfulTextWDACConfig -Color Pink -InputText "A Supplemental policy with the name '$SuppPolicyName' has been deployed." - } - Write-Progress -Id 19 -Activity 'Complete.' -Completed - } - if ($PSBoundParameters['PathWildCards']) { # The total number of the main steps for the progress bar to render @@ -203,7 +110,6 @@ Function New-SupplementalWDACConfig { } Write-Progress -Id 20 -Activity 'Complete.' -Completed } - if ($PSBoundParameters['InstalledAppXPackages']) { try { # The total number of the main steps for the progress bar to render @@ -287,71 +193,6 @@ Function New-SupplementalWDACConfig { Write-Progress -Id 21 -Activity 'Complete.' -Completed } } - - if ($PSBoundParameters['Certificates']) { - - # The total number of the main steps for the progress bar to render - $TotalSteps = $Deploy ? 5us : 4us - $CurrentStep = 0us - - $CurrentStep++ - Write-Progress -Id 33 -Activity 'Preparing the policy template' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) - - [WDACConfig.Logger]::Write('Copying the template policy to the staging area') - Copy-Item -LiteralPath 'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml' -Destination $FinalSupplementalPath -Force - - [WDACConfig.Logger]::Write('Emptying the policy file in preparation for the new data insertion') - [WDACConfig.ClearCiPolicySemantic]::Clear($FinalSupplementalPath) - - $CurrentStep++ - Write-Progress -Id 33 -Activity 'Extracting details from the selected certificate files' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) - - # a variable to hold the output signer data - $OutputSignerData = New-Object -TypeName System.Collections.Generic.List[WDACConfig.CertificateSignerCreator] - - foreach ($CertPath in $CertificatePaths) { - - # Create a certificate object from the .cer file - [System.Security.Cryptography.X509Certificates.X509Certificate2]$SignedFileSigDetails = [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromSignedFile($CertPath) - - # Create rule for the certificate based on the first element in its chain - $OutputSignerData.Add([WDACConfig.CertificateSignerCreator]::New( - [WDACConfig.CertificateHelper]::GetTBSCertificate($SignedFileSigDetails), - ([WDACConfig.CryptoAPI]::GetNameString($SignedFileSigDetails.Handle, [WDACConfig.CryptoAPI]::CERT_NAME_SIMPLE_DISPLAY_TYPE, $null, $false)), - ($SigningScenario -eq 'UserMode' ? '1' : '0') - )) - } - - $CurrentStep++ - Write-Progress -Id 33 -Activity 'Generating signer rules' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) - - if ($null -ne $OutputSignerData -and $OutputSignerData.count -gt 0) { - [WDACConfig.NewCertificateSignerRules]::Create($FinalSupplementalPath, $OutputSignerData) - } - - $CurrentStep++ - Write-Progress -Id 33 -Activity 'Finalizing the Supplemental policy' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) - - [WDACConfig.Logger]::Write('Converting the policy type from base to Supplemental, assigning its name and resetting its policy ID') - $null = [WDACConfig.SetCiPolicyInfo]::Set($FinalSupplementalPath, $true, "$SuppPolicyName - $(Get-Date -Format 'MM-dd-yyyy')", $null, $PolicyPath) - - [WDACConfig.SetCiPolicyInfo]::Set($FinalSupplementalPath, ([version]'1.0.0.0')) - - [WDACConfig.CiRuleOptions]::Set($FinalSupplementalPath, [WDACConfig.CiRuleOptions+PolicyTemplate]::Supplemental, $null, $null, $null, $null, $null, $null, $null, $null, $null) - - [WDACConfig.Logger]::Write('Converting the Supplemental policy XML file to a CIP file') - $null = ConvertFrom-CIPolicy -XmlFilePath $FinalSupplementalPath -BinaryFilePath $FinalSupplementalCIPPath - - if ($Deploy) { - $CurrentStep++ - Write-Progress -Id 33 -Activity 'Deploying the Supplemental policy' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100) - - [WDACConfig.CiToolHelper]::UpdatePolicy($FinalSupplementalCIPPath) - Write-ColorfulTextWDACConfig -Color Pink -InputText "A Supplemental policy with the name '$SuppPolicyName' has been deployed." - } - - Write-Progress -Id 33 -Activity 'Complete.' -Completed - } } Catch { $NoCopy = $true @@ -399,34 +240,13 @@ Function New-SupplementalWDACConfig { .PARAMETER SuppPolicyName Add a descriptive name for the Supplemental policy. Accepts only alphanumeric and space characters. It is used by the entire Cmdlet. -.PARAMETER Certificates - Make a Supplemental policy based on a certificate. - If you select a root CA certificate, it will generate Signer rules based on RootCertificate level which contains TBS Hash only. - If you select a non-root CA certificate such as Leaf Certificate or Intermediate certificate, it will generate Signer rules based on LeafCertificate level which contains TBS Hash as well as the subject name of the selected certificate. .PARAMETER PolicyPath Browse for the xml file of the Base policy this Supplemental policy is going to expand. Supports file picker GUI by showing only .xml files. Press tab to open the GUI. It is used by the entire Cmdlet. -.PARAMETER CertificatePaths - Browse for the certificate file(s) that you want to use to create the Supplemental policy. Supports file picker GUI by showing only .cer files. -.PARAMETER SigningScenario - You can choose one of the following options: "UserMode", "KernelMode" - It is available only when creating Supplemental policy based on certificates. .PARAMETER Deploy Indicates that the module will automatically deploy the Supplemental policy after creation. It is used by the entire Cmdlet. -.PARAMETER SpecificFileNameLevel - You can choose one of the following options: "OriginalFileName", "InternalName", "FileDescription", "ProductName", "PackageFamilyName", "FilePath" -.PARAMETER NoUserPEs - By default the module includes user PEs in the scan, but when you use this switch parameter, they won't be included. -.PARAMETER NoScript - Refer to this page for more info: https://learn.microsoft.com/en-us/powershell/module/configci/new-cipolicy#-noscript -.PARAMETER Level - The level that determines how the selected folder will be scanned. - The default value for it is FilePublisher. -.PARAMETER Fallbacks - The fallback level(s) that determine how the selected folder will be scanned. - The default value for it is Hash. .PARAMETER Force It's used by the entire Cmdlet. Indicates that the confirmation prompts will be bypassed. .INPUTS @@ -438,13 +258,5 @@ Function New-SupplementalWDACConfig { System.Management.Automation.SwitchParameter .OUTPUTS System.String -.EXAMPLE - New-SupplementalWDACConfig -Normal -SuppPolicyName 'MyPolicy' -PolicyPath 'C:\MyPolicy.xml' -ScanLocation 'C:\Program Files\MyApp' -Deploy - - This example will create a Supplemental policy named MyPolicy based on the Base policy located at C:\MyPolicy.xml and will scan the 'C:\Program Files\MyApp' folder for files that will be allowed to run by the Supplemental policy. -.EXAMPLE - New-SupplementalWDACConfig -Certificates -CertificatePaths "certificate 1 .cer", "certificate 2 .cer" -Verbose -SuppPolicyName 'certs' -PolicyPath "C:\Program Files\WDACConfig\DefaultWindowsPlusBlockRules.xml" - - This example will create a Supplemental policy named certs based on the certificates located at "certificate 1 .cer" and "certificate 2 .cer" and the Base policy located at "C:\Program Files\WDACConfig\DefaultWindowsPlusBlockRules.xml". #> } \ No newline at end of file diff --git a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 index e40687c4d..579f6acd7 100644 --- a/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 +++ b/WDACConfig/WDACConfig Module Files/WDACConfig.psd1 @@ -2,7 +2,7 @@ # https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_module_manifests RootModule = 'WDACConfig.psm1' - ModuleVersion = '0.4.9' + ModuleVersion = '0.5.0' CompatiblePSEditions = @('Core') GUID = '79920947-efb5-48c1-a567-5b02ebe74793' Author = 'HotCakeX' @@ -18,6 +18,7 @@ 🟢This module is being transitioned to AppControl Manager application which is a modern GUI-based MSIX-packaged open-source Windows application. Check it out here: https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager +🩷 AppControl Manager is very high performance and offers a lot of new features and improvements. Please see the GitHub page for Full details and everything about the module: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig @@ -51,12 +52,8 @@ Please see the GitHub page for Full details and everything about the module: htt ✔️ Assert-WDACConfigIntegrity: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Assert-WDACConfigIntegrity -✔️ Build-WDACCertificate: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Build-WDACCertificate - ✔️ Test-CiPolicy: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Test-CiPolicy -✔️ Get-CiFileHashes: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Get-CiFileHashes - ✔️ Get-CIPolicySetting: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Get-CIPolicySetting '@ @@ -77,7 +74,6 @@ Please see the GitHub page for Full details and everything about the module: htt 'Core\Assert-WDACConfigIntegrity.psm1', 'Core\Build-WDACCertificate.psm1', 'Core\Test-CiPolicy.psm1', - 'Core\ConvertTo-WDACPolicy.psm1', 'Core\Get-CiFileHashes.psm1', 'Core\Get-CIPolicySetting.psm1') @@ -97,7 +93,6 @@ Please see the GitHub page for Full details and everything about the module: htt 'Assert-WDACConfigIntegrity', 'Build-WDACCertificate', 'Test-CiPolicy', - 'ConvertTo-WDACPolicy', 'Get-CiFileHashes', 'Get-CIPolicySetting', 'Update-WDACConfigPSModule') diff --git a/WDACConfig/version.txt b/WDACConfig/version.txt index 5cd642877..79a2734bb 100644 --- a/WDACConfig/version.txt +++ b/WDACConfig/version.txt @@ -1 +1 @@ -0.4.9 \ No newline at end of file +0.5.0 \ No newline at end of file