HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.81k stars 142 forks source link

[Bug]: Some events in Applocker EXE & MSI (e.g. .tmp) not detected as part of -Source LocalEventLogs #394

Open zygmuntszpak opened 1 week ago

zygmuntszpak commented 1 week ago

Tools category

WDACConfig Module

Does Your System Meet The Requirements?

Is your Windows Installation Genuine?

Did You Read The Frequently Asked Questions?

Please Explain The Bug

I have created a DefaultWindowsAudit policy and deployed it via intune.

I'm trying to whitelist Adobe Standard PDF Reader by running the setup.exe as per the installation instructions.

Upon installing and launching the program, I attempt to create a whitelist using

ConvertToWDACPolicy -BasePolicyFile "C:\Program Files\WDACConfig\DefaultWindowsAudit.xml" -Source LocalEventLogs -SuppPolicyName "Adobe Reader"  -Level FilePublisher

which detects and parses the following log events.

Screenshot 2024-11-05 161227

However, parsing the log event with the App Control Wizard I notice that there were other events which were detected that are associated with Applocker MSI and Script Events which were not detected by the ConvertToWDACPolicy cmdlet. For example, there are numerous .tmp files which are related to something called ADelRPC.dll

Screenshot 2024-11-05 161930

If I only select the events detected by ConvertToWDACPolicy then the whitelist appears to be incomplete. Specifically, after selecting all of these events, I uninstall Adobe, switch to enforcing DefaultWindows and attempt to install the Adobe Reader again only to find that it fails. Some of the dll's in the .tmp files are blocked during installation as part of Applocker MSI and Script Events and if I run ConvertToWDACPolicy with PolicyAddTo it still doesn't detect them.

I can confirm this dll is not detected in the logs:

Screenshot 2024-11-05 161915

I presume this is a bug?

Many thanks for this excellent package.

Error Details

No response

HotCakeX commented 1 week ago

Hi, Thanks for making such detailed report. It seems like a bug, i will check what's happening and fix it.

I'm currently in the process of adding this feature, ConvertTo-WDACConfig, plus Edit-WDACConfig + Edit-SignedWDACConfig to the new AppControl Manager app. The features that will be added to the app will have different logic which will fix this bug as well.

It's going to take approximately ~2 weeks, maybe less, before i can release new version of WDACConfig module and AppControl Manager.

HotCakeX commented 1 week ago

@zygmuntszpak

After having another look at the code, i think i found out why you couldn't see those logs. I think it's because those temp files are deleted after installation and are not included in the result. There is however an option you can try. First export the code integrity or AppLocker logs from event viewer to an .evtx file and then use this syntax

ConvertTo-WDACPolicy -Source EVTXFiles -EVTXLogs "Path To .evtx files"

It should show you everything. Just a temporary workaround.

zygmuntszpak commented 6 days ago

Thank you very much. You are right, when I load the EVTXLogs explicitly it correctly detects the .tmp files. Regarding the new App Control Manager App, will it still support the creating of policies without automatic deployment? My use case is built around Intune and from what I understood from reading a previous issue, it is best not to mix how policies are deployed but to consistently use Intune.

HotCakeX commented 3 days ago

@zygmuntszpak my pleasure!

Of course, it will definitely have deployment as optional feature, using it for Intune or remote systems in general is one of the main focus points. After this new update is released, you can try it out and give me more feedback so i can improve it to meet your other needs.