Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Microsoft Defender for Endpoint - Advanced Hunting
You can now use the WDACConfig module to convert the Microsoft Defender for Endpoint (MDE) Advanced Hunting query results directly to Application Control policy (WDAC) policy in a matter of seconds with high precision and performance.
Demo Video
The systematic approach to converting the query results to WDAC policy is as follows:
If a file is unsigned then a hash rule will be created for it.
If a file is signed then there are multiple possibilities:
If the file is signed and the MDE AH results contain the file's version as well as at least one of the following file attributes (Original Name, Internal Name, Description, Product Name), then a File Publisher rule will be created for it.
If the file is signed but the file attributes are not present in the results, Publisher level rule will be created for it.
These levels are selected based on their security. You can read more about the levels security comparison in this article.
Simple Yet Comprehensive
What WDACConfig requires for MDE Advanced Hunting
DeviceEvents
| where ActionType startswith "AppControlCodeIntegrity"
or ActionType startswith "AppControlCIScriptBlocked"
or ActionType startswith "AppControlCIScriptAudited"
As you can see, the WDACConfig module encapsulates all requisite logic, enabling the employment of heightened security levels for files, notably the FilePublisher. It assimilates comprehensive data, utilizing the maximum extent of available information to formulate the most precise and tailored rule for each individual file.
Comparison
Supported Features
WDACConfig
WDAC Wizard
Log types
Code Integrity + AppLocker
Code Integrity
Generated Rules
File Publisher, Publisher, Leaf Certificate, Hash
Publisher, Hash
Requires Custom CSV Formatting
No - Accepts RAW data
Yes
Required Query Size
Small
Large
Other Changes
Significantly Improved the performance when parsing the Code Integrity related event logs.
In addition to the Code Integrity logs, now AppLocker logs are also processed by the WDACConfig module. This allows it to capture and create rules for blocked/audited MSI files as well.
Bumped the required PowerShell version from 7.4.1 to 7.4.2 because it has WDAC related improvements.
What's New
Microsoft Defender for Endpoint - Advanced Hunting
You can now use the WDACConfig module to convert the Microsoft Defender for Endpoint (MDE) Advanced Hunting query results directly to Application Control policy (WDAC) policy in a matter of seconds with high precision and performance.
Demo Video
The systematic approach to converting the query results to WDAC policy is as follows:
These levels are selected based on their security. You can read more about the levels security comparison in this article.
Simple Yet Comprehensive
What WDACConfig requires for MDE Advanced Hunting
As you can see, the WDACConfig module encapsulates all requisite logic, enabling the employment of heightened security levels for files, notably the FilePublisher. It assimilates comprehensive data, utilizing the maximum extent of available information to formulate the most precise and tailored rule for each individual file.
Comparison
Other Changes