Device Guard is like Applocker but has more features. You can block DLL’s, drivers, there is even a virtual based security. Microsoft has now moved these into what seems like two different products. There is the Windows Defender Application Control which has more of a focus on application control AKA Whitelisting/blacklisting. The virtual based security which can protect against kernel rootkits and runs edge in a sandbox, is part of the virtualization-based protection of code integrity more specifically, HVCI. The documentation is decent, but more can be expected. I believe because it’s still a new rebranding and changes added, that in the near future we will see more information.
Here’s some links about this:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/feature-availability
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview
Today I will be showing an example policy creation. And creating an extra rule to block WorkFlow compiler. WDAC policies can be created on any client edition of Windows 10 build 1903+ or on Windows Server 2016 and above. This is one of the main reasons Microsoft got rid of the Enterprise requirements. Organizations before didn’t really use Device guard because of the Enterprise and other requirements for virtual based protection. Now more people have a robust application whitelisting feature to use. All you really needs is Windows 10 above 1903, and a base install. More information is available on Microsoft’s documentation site. Requirements for lab are below.
- have a base Windows 10 1903+ OS version
- .Net 4.0 installed (may be there by default check for folder C:\Windows\Microsoft.NET\Framework64\v4.0.30319)
- Make sure you have file C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
First step is to copy this file below and save as blockmwfc.xml in an empty folder. I took this from Microsoft’s recommended block rules list. I’ve changed it to only block workflow compiler. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules This policy and the default windows policy are both by default in audit mode <Option>Enabled:Unsigned System Integrity Policy</Option>
<?xml version="1.0" encoding="utf-8" ?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
</Rules>
<!-- EKUS
-->
<EKUs />
<!-- File Rules
-->
<FileRules>
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
</FileRules>
<!-- Signers
-->
<Signers />
<!-- Driver Signing Scenarios
-->
<SigningScenarios>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User Mode Signing Scenarios">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_MWFC" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners />
<HvciOptions>0</HvciOptions>
</SiPolicy>
Second step we will merge this policy with an example policy DefaultWindows_Audity located at %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies More info on the policy is at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies Copy this policy to a folder that also has your blockmwfc.xml file Run the first command below from powershell to merge both policies. The second command will create a binary file.
Merge-CIPolicy -PolicyPaths DefaultWindows_Audit.xml,blockmwfc.xml -OutputFilePath MergedPolicy.xml
ConvertFrom-CIPolicy MergedPolicy.xml SiPolicy.p7b
Third step copy the created binary file to c:\windows\system32\CodeIntegrity replacing the SiPolicy.p7b and reboot the computer. Afterwards try running Workflow.Compiler.exe either by itself or using the technique to run chsarp code (check Part 1 for example).
Since we are in audit mode you should see event 3089 which shows in details hash of workflow running. It mentions correlation ID but not sure what that refers to, I look at the hash mentioned and compare it to other events. The next event 3076 as shown below, show that workflow compiler was caught running.
We can also try adding random text to binary workflow this will get rid of file hash, and should also be blocked as well. Of course it gets blocked because it isn’t a windows signed binary anymore, and with a different hash.
echo "a" > test.txt
copy /b C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe+test.txt workflow.exe
