Harden-Windows-Security icon indicating copy to clipboard operation
Harden-Windows-Security copied to clipboard
Published 3 weeks ago verified publisher icon HotCakeX

WDACConfig v0.3.9

Open HotCakeX opened this issue 1 year ago • 0 comments

What's New

TL;DR

This update mainly focuses on improving the speed of the operations while increasing the accuracy wherever possible.

  • Almost all parts of the WDACConfig module have become faster and more high performance.
  • New cmdlet added offering more functionality.
  • GUI is offered in more places, especially when using Edit-WDACConfig and Edit-SignedWDACConfig cmdlets.

Detailed Release Note

  • Completely internalized policy rule option modifications, no longer using built-in cmdlets. This change results in much faster policy creation.

  • New cmdlet: Set-CiRuleOptions, consider it an improved version of the built-in cmdlet Set-RuleOption. The new cmdlet offers more features and improvements such as removing or adding rules at the same time in bulk.

  • The Edit-WDACConfig and Edit-SignedWDACConfig cmdlets, when the -AllowNewAppsAuditEvents parameter is being used, now offer a GUI (graphical user interface) to show you the files that were detected outside of the directory paths you selected, allowing you to pick any of them to include in the final supplemental policy. This change boosts security by eliminating any chance of unwanted files being allowed in the supplemental policy since you will know the precise details of each file and can make informed decision about which ones to choose to include.

    • The previous behavior would automatically detect any files run during audit mode that didn't reside in the directory paths you selected and include them in the supplemental policy, which is a less secure behavior.
    • The SnapBack mechanism is triggered sooner, restoring the base policy that is in audit mode back to enforced mode as soon as possible.

  • When using the Edit-WDACConfig and Edit-SignedWDACConfig cmdlets with the -AllowNewAppsAuditEvents parameter, rules for the files that no longer exist on the disk are no longer created based on hash only. Now if those files are signed then signature based rules will be created for them and if they are unsigned then hash rules will be created.

    • With the updated workflow, specifying directory paths is no longer necessary. Instead, you can utilize event logs to seamlessly authorize any desired file or program. This is particularly advantageous when a file or program is blocked, and its precise location or installation path is unknown to you. The parameter facilitates rapid identification of the blocked files. Subsequently, through the displayed GUI, you can select the blocked files and conveniently generate a supplemental policy for them.

  • This latest update significantly reduces the dependency on the native ConfigCI module, marking a progressive stride towards complete autonomy. The goal is to eventually attain total self-reliance in forthcoming updates.

  • The ConvertTo-WDACPolicy cmdlet when using local logs as the source, has become faster using high performance functions.

  • Kernel-protected files are now faster to detect and rules for them are created in better ways.

  • Sub-modules in each cmdlet are now loader faster.

HotCakeX avatar May 04 '24 21:05 HotCakeX