CODEWITHSUNDEEP
intuneapplocker
Evan01
Evan01

Reputation: 11

WDAC Publisher or Hash rule without a reference file

Does anyone know of a way to create a Windows Defender Application Control Rule (WDAC) without a reference file? We have a situation where remote users, on laptops, sometimes need to run executables that are blocked by WDAC. Once we review the executable, the next step is adding it to a WDAC policy however both the WDAC wizard and powershell commands require a reference file for publisher and hash. We have the publisher and hash (sha256) values from the event log but not the actual file.

We want to avoid WDAC rules based on filename and the path rule only works for exe's, not MSI,dll,msp etc.

Thanks in advance

Upvotes: 1

Views: 1334

Answers (1)

SpyNet
SpyNet

Reputation: 679

Yes, Event viewer logs contain everything you need to create a WDAC policy and then you can either merge it with your base policy or deploy it as a supplemental policy.

There are 4 types of hashes in each log entry in Microsoft-Windows-CodeIntegrity/Operational Event logs category, ID = 3076

  • SHA256 Hash
  • SHA256 Flat Hash
  • SHA1 Hash
  • SHA1 Flat Hash

They allow you to create WDAC rules and policy for files that no longer exist anymore.

But you need to be aware that the default log size is 1MB and after that new logs will overwrite the old ones, so assuming they still exist or you increased the default log size, you can scan that remote machine's event logs or collect their logs, import them to a new clean VM and then make a WADC policy based on them.

There are PowerShell cmdlets that can be used do it but I've created an app for automation:

You can use this feature of it to create a new supplemental policy by scanning audit event logs of that specific category.

You're right to avoid FilePath rules as they are not as secure as others such as Hash, SignedVersion, FilePublisher etc.

I also suggest taking a clean VM, Prepare it for Audit log collection, install the executable that you want your remote users/employees to be allowed to install on it, run it and use it a bit to all of its components get executed and event logs created for them, then uninstall it. This way you create event log entries for every file in that program and your remote users can install/run/uninstall the program.

More Windows Defender Application Control (WDAC) resources on my GitHub:

https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction

Upvotes: 1

Related Questions