Created
September 12, 2023 15:15
-
-
Save mgraeber-rc/5ea27ff7c7fbfe525115cf63a29e93af to your computer and use it in GitHub Desktop.
Recovered Microsoft Defender for Endpoint WDAC policy that is dropped to %windir%\System32\CodeIntegrity\ATPSiPolicy.p7b when "Restrict App Execution" is enabled for a device.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Inherit Default Policy</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Advanced Boot Options Menu</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Update Policy No Reboot</Option> | |
| </Rule> | |
| </Rules> | |
| <EKUs> | |
| <EKU ID="ID_EKU_STORE" Value="010A2B0601040182374C0301" FriendlyName="Windows Store" /> | |
| </EKUs> | |
| <Signers> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT_MD5" Name="Microsoft Product Root 1997"> | |
| <CertRoot Type="Wellknown" Value="04" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT_SHA1" Name="Microsoft Product Root 2001"> | |
| <CertRoot Type="Wellknown" Value="05" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT" Name="Microsoft Product Root 2010"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_STANDARD_ROOT" Name="Microsoft Standard Root 2001"> | |
| <CertRoot Type="Wellknown" Value="07" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_CODEVERIFICATION_ROOT" Name="Microsoft Code Verification Root 2006"> | |
| <CertRoot Type="Wellknown" Value="08" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_DMD_ROOT" Name="Microsoft DMDRoot 2005"> | |
| <CertRoot Type="Wellknown" Value="0C" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_FLIGHT_ROOT" Name="Microsoft Flight Root 2014"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_TEST_ROOT" Name="Microsoft Test Root 2010"> | |
| <CertRoot Type="Wellknown" Value="0A" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT_MD5_USER" Name="Microsoft Product Root 1997"> | |
| <CertRoot Type="Wellknown" Value="04" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT_SHA1_USER" Name="Microsoft Product Root 2001"> | |
| <CertRoot Type="Wellknown" Value="05" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT_USER" Name="Microsoft Product Root 2010"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_STANDARD_ROOT_USER" Name="Microsoft Standard Root 2001"> | |
| <CertRoot Type="Wellknown" Value="07" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_CODEVERIFICATION_ROOT_USER" Name="Microsoft Code Verification Root 2006"> | |
| <CertRoot Type="Wellknown" Value="08" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_DMD_ROOT_USER" Name="Microsoft DMDRoot 2005"> | |
| <CertRoot Type="Wellknown" Value="0C" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_FLIGHT_ROOT_USER" Name="Microsoft Flight Root 2014"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_STORE" Name="Microsoft MarketPlace PCA 2011"> | |
| <CertRoot Type="TBS" Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378" /> | |
| <CertEKU ID="ID_EKU_STORE" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_TEST_ROOT_USER" Name="Microsoft Test Root 2010"> | |
| <CertRoot Type="Wellknown" Value="0A" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WDATPRESTRICTEXECUTION" Name="WdAtpRestrictExecution - Microsoft Defender for Endpoint Update Signer" > | |
| <CertRoot Type="TBS" Value="75EF3425733343967441E38BB096AE47B59BD39068218EEB5A6769F5FA54D091" /> | |
| </Signer> | |
| </Signers> | |
| <SigningScenarios> | |
| <SigningScenario ID="ID_SIGNINGSCENARIO_DRIVERS_1" Value="131"> | |
| <ProductSigners> | |
| <AllowedSigners> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_MD5" /> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_SHA1" /> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_STANDARD_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_CODEVERIFICATION_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_DMD_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_FLIGHT_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_TEST_ROOT" /> | |
| </AllowedSigners> | |
| </ProductSigners> | |
| <TestSigners /> | |
| <TestSigningSigners /> | |
| </SigningScenario> | |
| <SigningScenario ID="ID_SIGNINGSCENARIO_WINDOWS" Value="12"> | |
| <ProductSigners> | |
| <AllowedSigners> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_MD5_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_SHA1_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_STANDARD_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_CODEVERIFICATION_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_DMD_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_FLIGHT_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_STORE" /> | |
| <AllowedSigner SignerId="ID_SIGNER_TEST_ROOT_USER" /> | |
| </AllowedSigners> | |
| </ProductSigners> | |
| <TestSigners /> | |
| <TestSigningSigners /> | |
| </SigningScenario> | |
| </SigningScenarios> | |
| <UpdatePolicySigners> | |
| <UpdatePolicySigner SignerId="ID_SIGNER_WDATPRESTRICTEXECUTION" /> | |
| </UpdatePolicySigners> | |
| <CiSigners> | |
| <CiSigner SignerId="ID_SIGNER_STORE" /> | |
| </CiSigners> | |
| </SiPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This policy allows all Microsoft-signed and Microsoft Store-signed code to execute. This will not prevent Microsoft-signed LOLBins from executing. This policy is designed to "stop the bleeding" when a device is suspected to be compromised. To deploy this policy, enable "Restrict App Execution" from the MDE portal.
Policy GUID
{4E61C68C-97F6-430B-9CD7-9B1004706770}corresponds to the binary policy that MDE drops to%windir%\System32\CodeIntegrity\ATPSiPolicy.p7b. You can confirm that the MDE policy is deployed on the endpoint with the following command:CiTool.exe --list-policiesWhen the policy is deployed, you should see a similar entry in the output:
The MDE policy,
4e61c68c-97f6-430b-9cd7-9b1004706770is enabled based on "Is Currently Enforced" showing "true".Thanks to @jsecurity101 for geeking out with me about this!