WDACConfig module - WDAC Policy Deployment Simulation

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
1696970923373.png



This feature allows you to simulate a WDAC (App Control for Business) policy deployment. Simply select a folder and a policy xml file, it will show you whether the files in the folder would be allowed or blocked by your WDAC policy if it was actually deployed on a system and those files were run.

Upon completion of the simulation, you will obtain a CSV file in the current working directory containing the output of the simulation with exhaustive details of each file that would be blocked/allowed by the selected policy. It will be very useful, specially if the folder that was being scanned had thousands of files.

Currently, this cmdlet is only suitable for xml policy files generated by Level: FilePublisher and Fallback: Hash, which are actually the safest and best options, and are also the defaults used by the WDACConfig module. If the policy was generated by other levels and fallbacks such as filepaths, the output of this cmdlet will not be accurate.

The feature is out of beta phase and is fully functional after a big update I pushed today. I'm very happy with it because after testing more than 100k unique files with it It's been always successful.

Some Use Cases

  • Have a WDAC policy and you want to test whether all of the files of a program will be allowed by the policy without running the program first? Use this WDAC simulation to find out.
  • Employ this simulation method to discover files that are not explicitly specified in the WDAC policy but are still authorized to run by it. When you scan a folder to create a Supplemental policy for the files inside it, some files might not require to be mentioned in the xml policy file because they are already sanctioned using their certificate details by other files, so it would not be possible to check their availability merely by examining the XML file. Using this simulation, you will be able to confirm their eligibility and whether or not they are permitted by the WDAC policy, using robust automated methods of verification.
  • Identify files that have hash mismatch and will not be permitted by WDAC engine using signature. These files are typically found in questionable software because they are tampered with. They are still incorporated into the WDAC policy based on their certificate signature but when you execute them you will receive a blocked message. Use this WDAC simulation feature to detect them without running them first.
  • And more.

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top