Merge pull request #18 from jsuther1974/master

Initial WDAC integration (policy generation features only)
microsoft · Apr 22, 2020 · 753f9fb · 753f9fb
2 parents fd2d7b7 + e8c3319
commit 753f9fb
Show file tree

Hide file tree

Showing 9 changed files with 1,794 additions and 761 deletions.
diff --git a/AaronLocker/Create-Policies-AppLocker.ps1 b/AaronLocker/Create-Policies-AppLocker.ps1
diff --git a/AaronLocker/Create-Policies-WDAC.ps1 b/AaronLocker/Create-Policies-WDAC.ps1
diff --git a/AaronLocker/Create-Policies.ps1 b/AaronLocker/Create-Policies.ps1
diff --git a/AaronLocker/CustomizationInputs/UnsafePathsToBuildRulesFor.ps1 b/AaronLocker/CustomizationInputs/UnsafePathsToBuildRulesFor.ps1
@@ -19,12 +19,22 @@ Hashtable properties:
                          pubProdBinVer - highest granularity: Publisher rules specify publisher, product, binary name, and minimum version.
                        Microsoft-signed Windows and Visual Studio files are always handled at a minimum granularity of "pubProductBinary";
                        other Microsoft-signed files are handled at a minimum granularity of "pubProduct".
+                       ****NOTE**** 
+                            pubruleGranularity is handled very differently for WDAC policies. WDAC rules use the pubruleGranularity to determine the default -Level but then falls
+                            back to successively more restrictive options.The Granularity mappings are as follows:
+                            pubOnly --> -Level Publisher -Fallback FilePublisher,FileName,Hash
+                            pubProduct --> -Level FilePublisher -SpecificFileNameLevel ProductName -Fallback FilePublisher,FileName,Hash
+                            pubProductBinary --> NOT supported for WDAC rules. Reverts to pubProdBinVer.
+                            pubProdBinVer --> -Level FilePublisher -Fallback FileName,Hash (ProductName *not* included in generated rule)
 * JSHashRules        - OPTIONAL; if specified and set to $true, generates hash rules for unsigned .js files; otherwise, doesn't generate them.
+                       NOTE: JSHashRules is *ignored* for WDAC policy generation. Hash rules are always created for .js files discovered. 
 * noRecurse          - OPTIONAL; if specified and set to $true, rules are generated only for the files in the specified directory or directories.
                        Otherwise, rules are also generated for files in subdirectories of the specified directory or directories.
+                       NOTE: noRecurse is *ignored* for WDAC policy generation. Subdirectories are always scanned.
 * enforceMinVersion  - DEPRECATED and OPTIONAL. pubruleGranularity takes precedence if specified.
                          Otherwise, setting to $false equivalent to pubruleGranularity = pubProductBinary;
                          setting to $true equivalent to pubruleGranularity = pubProdBinVer.
+                       NOTE: enforceMinversion is always *ignored* for WDAC policy generation. MinVersion is always included in rules.
                       
 Examples of valid hash tables:
 

diff --git a/AaronLocker/CustomizationInputs/WDACTrustedSigners-MsvcMfc.ps1 b/AaronLocker/CustomizationInputs/WDACTrustedSigners-MsvcMfc.ps1
@@ -0,0 +1,309 @@
+<#
+.SYNOPSIS
+Script designed to be dot-sourced into TrustedSigners.ps1 that supports the creation of publisher rules for observed MSVC*.DLL and MFC*.DLL files.
+
+.DESCRIPTION
+There are already MSVC* and MFC* DLLs in Windows - this script also allows redistributable DLLs that often ship with other products and are installed into user-writable directories.
+This output allows any version of signed MSVC* or MFC* DLLs that shipped with a known version of Visual Studio.
+This is not the same as allowing anything signed by Microsoft or is part of Visual Studio - just the runtime library support DLLs.
+
+This file can be updated as additional MSVC* and MFC* DLLs appear in event logs when observed executing from user-writable directories.
+Add more files as they are identified.
+
+See TrustedSigners.ps1 for details about how this input is used.
+
+#>
+
+###########################################################################
+# Visual Studio 2008
+###########################################################################
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA";
+IssuerTBSHash = "7251ADC0F732CF409EE462E335BB99544F2DD40F";
+PublisherName = "Microsoft Corporation";
+ProductName = "Microsoft® Visual Studio® 2008";
+FileName = "MFC90U.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName = "Microsoft® Visual Studio® 2008";
+FileName = "MSVCP90.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName = "Microsoft® Visual Studio® 2008";
+FileName = "MSVCR90.DLL";
+}
+
+###########################################################################
+# Visual Studio 2010
+###########################################################################
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA";
+IssuerTBSHash = "7251ADC0F732CF409EE462E335BB99544F2DD40F";
+PublisherName = "Microsoft Corporation";
+ProductName = "Microsoft® Visual Studio® 2010";
+FileName = "msvcp100.dll";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "Microsoft® .NET Framework";
+FileName = "MSVCR100_CLR0400.DLL";
+}
+
+###########################################################################
+# Visual Studio 2012
+###########################################################################
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA";
+IssuerTBSHash = "27543A3F7612DE2261C7228321722402F63A07DE";
+PublisherName = "Microsoft Corporation";
+ProductName   = "Microsoft® Visual Studio® 2012";
+FileName = "MFC110.DLL";
+}
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "Microsoft® Visual Studio® 2012";
+FileName = "MFC110.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA";
+IssuerTBSHash = "27543A3F7612DE2261C7228321722402F63A07DE";
+PublisherName = "Microsoft Corporation";
+ProductName   = "Microsoft® Visual Studio® 2012";
+FileName = "MSVCP110.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "Microsoft® Visual Studio® 2012";
+FileName = "MSVCP110.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA";
+IssuerTBSHash = "27543A3F7612DE2261C7228321722402F63A07DE";
+PublisherName = "Microsoft Corporation";
+ProductName   = "Microsoft® Visual Studio® 2012";
+FileName = "MSVCR110.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "Microsoft® Visual Studio® 2012";
+FileName = "MSVCR110.DLL";
+}
+
+###########################################################################
+# Visual Studio 2013
+###########################################################################
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA";
+IssuerTBSHash = "27543A3F7612DE2261C7228321722402F63A07DE";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2013";
+FileName = "MFC120.DLL";
+}
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2013";
+FileName = "MFC120.DLL";
+}
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA";
+IssuerTBSHash = "27543A3F7612DE2261C7228321722402F63A07DE";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2013";
+FileName = "MFC120U.DLL";
+}
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2013";
+FileName = "MFC120U.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA";
+IssuerTBSHash = "27543A3F7612DE2261C7228321722402F63A07DE";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2013";
+FileName = "MSVCP120.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2013";
+FileName = "MSVCP120.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA";
+IssuerTBSHash = "27543A3F7612DE2261C7228321722402F63A07DE";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2013";
+FileName = "MSVCR120.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2013";
+FileName = "MSVCR120.DLL";
+}
+
+###########################################################################
+# Visual Studio 2015
+###########################################################################
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2015";
+FileName = "MSVCP140.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2015";
+FileName = "VCRUNTIME140.DLL";
+}
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2015";
+FileName = "MFC140U.DLL";
+}
+
+###########################################################################
+# Visual Studio 2017
+###########################################################################
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2017";
+FileName = "MSVCP140.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 2017";
+FileName = "VCRUNTIME140.DLL";
+}
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName = "MICROSOFT® VISUAL STUDIO® 2017";
+FileName = "MFC140.DLL";
+}
+
+###########################################################################
+# Visual Studio 10
+###########################################################################
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "MICROSOFT® VISUAL STUDIO® 10";
+FileName = "MFC100U.DLL";
+}
+
+###########################################################################
+# Visual Studio 2015, 2017, 2019
+###########################################################################
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "Microsoft® Visual Studio®";
+FileName = "MSVCP140.DLL";
+}
+
+@{
+label = "MSVC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "Microsoft® Visual Studio®";
+FileName = "VCRUNTIME140.DLL";
+}
+
+@{
+label = "MFC runtime DLL";
+IssuerName = "Microsoft Code Signing PCA 2011";
+IssuerTBSHash = "F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E";
+PublisherName = "Microsoft Corporation";
+ProductName   = "Microsoft® Visual Studio®";
+FileName = "MFC140U.DLL";
+}
+