ConvertTo-WDACPolicy cmdlet Publisher type instead of Hashes

[a-shina]

Hello,

First off, I would like to say thank you for creating the WDACConfig module, it is super helpful and easy to use!

Unfortunately, I am experiencing this issue where the supplemental policy created through MDE Advanced Hunting is using only hashes for allow rules instead of Publisher type even though the files are signed.

I have also watched your YouTube video on how to use WDACConfig module with Microsoft Defender for Endpoint (MDE) Advanced Hunting results to create Application Control policies and followed the steps as applicable.

Is there any configuration I need to adjust or additional steps I should take to ensure all publisher fields are included when parsing from MDE Advanced Hunting events?

Thank you for your support!

[HotCakeX]

Hi,
my pleasure, glad you find it useful,
Can you share some parts of the CSV file with me so i can investigate further? You can send through email or on Teams: spynetgirl@outlook.com

The module first tries to create FilePublisher, if necessary details aren't available then attempts to create Publisher and lastly tries Hash level rules. If the CSV contains file's signatures (Publisher Name, Publisher TBS Hash, Issuer Name, Issuer TBS Hash) then Publisher level should be used.

[a-shina]

I will definitely give that a shot -- thank you very much!

[HotCakeX]

No problem, yw! :)

[a-shina]

Hi again @HotCakeX, hope all is well!

I was wondering if there is a way using the ConvertTo-WDACPolicy cmdlet when creating an allow rule to only have it create based on Issuer & Publisher and omit File Attribute? This option is available using the WDAC Wizard and it would be so helpful to have it on your WDACConfig module as well.

Example from the Wizard:

Shown above, when creating an allow rule for DellPair.exe - I am able to create it based on Issuer & Publisher only.

Examples of xml generated from:

1. WDAC Wizard:
   

2. WDACConfig:
   
   

The reason I prefer this option is that any other file or executable under DigiCert EV Code Signing CA (SHA2) and IndiLogic LLC would be allowed using only one allow rule.

Thanks,
Adrian

[HotCakeX]

Hi, when i designed that function, i made it to use the most secure levels as much as possible. So it first tries to use FilePublisher level, if the logs can't satisfy the requirements for it, then it falls back to Publisher level, if that can't be satisfied it tries to use LeafCertificate, and finally it will create Hash rules.

I'm beginning to realize people (including you) want to use Publisher level primarily, especially in enterprise environments, so i will offer level selection in the command. The logics are already there, just need to take care of some minor technicalities to make it happen. Next version of the WDACConfig module will most likely offer it.

[a-shina]

Awesome! Thank you for considering this enhancement. Having this level of granularity will be super nice. Do you have an estimated release date for the next update? I'm looking forward to it!

[HotCakeX]

@a-shina Just released the update
https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/WDACConfigv0.4.3

sorry couldn't give an estimation

[a-shina]

@HotCakeX, thank you so much for the swift release! I’m excited to start using the new features. Much appreciated :)

[HotCakeX]

You're welcome ^^