HotCakeX · HotCakeX · Nov 28, 2024 · Nov 28, 2024 · Nov 28, 2024
@@ -80,7 +80,7 @@
     <AssemblyName>AppControlManager</AssemblyName>
     <PublishAot>False</PublishAot>
     <ErrorReport>send</ErrorReport>
-    <FileVersion>1.5.0.0</FileVersion>
+    <FileVersion>1.5.1.0</FileVersion>
     <AssemblyVersion>$(FileVersion)</AssemblyVersion>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageLicenseFile>LICENSE</PackageLicenseFile>

@@ -10,7 +10,7 @@ public static class CertificateGenerator
     {
 
         /// <summary>
-        /// Build a self-signed on-device certificate for the purpose of AppControl policy signing
+        /// Build a self-signed on-device certificate for the purpose of App Control policy signing
         /// Use certutil -dump -v '.\codesign.cer' to view the certificate properties, such as encoding of the certificate fields like the subject
         /// </summary>
         /// <param name="CommonName"></param>

@@ -75,7 +75,7 @@ public static HashSet<FileIdentity> Scan(List<FileInfo> files)
                 if (fileIsSigned)
                 {
 
-                    // The EKU OIDs of the primary signer of the file, just like the output of the Get-AuthenticodeSignature cmdlet, the ones that AppControl policy uses for EKU-based authorization
+                    // The EKU OIDs of the primary signer of the file, just like the output of the Get-AuthenticodeSignature cmdlet, the ones that App Control policy uses for EKU-based authorization
                     // Only the leaf certificate of the primary signer has EKUs, others such as root or intermediate have KUs only.
                     ekuOIDs = FileSignatureResults
                        .Where(p => p.Signer?.SignerInfos is not null)

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
@@ -51,14 +52,24 @@ private static List<MDEAdvancedHuntingData> ReadCsv(string filePath)
             // Read the CSV file line by line
             using StreamReader reader = new(filePath);
 
-            // Read the header line
+            // Read the header line which is the first line
             string? header = reader.ReadLine() ?? throw new InvalidDataException("CSV file is empty or header is missing.");
 
+            // Parse the header line
+            string[] headers = ParseCsvLine(header);
+
+            // Map header names to their indices so columns can be located precisely regardless of their positions in the CSV file
+            Dictionary<string, int> headerMap = headers
+                .Select((name, index) => new { name, index })
+                .ToDictionary(x => x.name, x => x.index);
+
             // Read the remaining lines of the CSV file until the end of the stream is reached (EOF)
             while (!reader.EndOfStream)
             {
                 // Read the next line
                 string? line = reader.ReadLine();
+
+                // Skip empty lines
                 if (line is null) continue;
 
                 // Split the line by commas
@@ -68,44 +79,47 @@ private static List<MDEAdvancedHuntingData> ReadCsv(string filePath)
                 // P.S not all rows have the same properties
                 MDEAdvancedHuntingData record = new()
                 {
-                    Timestamp = values.Length > 0 ? values[0] : null,
-                    DeviceId = values.Length > 1 ? values[1] : null,
-                    DeviceName = values.Length > 2 ? values[2] : null,
-                    ActionType = values.Length > 3 ? values[3] : null,
-                    FileName = values.Length > 4 ? values[4] : null,
-                    FolderPath = values.Length > 5 ? values[5] : null,
-                    SHA1 = values.Length > 6 ? values[6] : null,
-                    SHA256 = values.Length > 7 ? values[7] : null,
-                    InitiatingProcessSHA1 = values.Length > 8 ? values[8] : null,
-                    InitiatingProcessSHA256 = values.Length > 9 ? values[9] : null,
-                    InitiatingProcessMD5 = values.Length > 10 ? values[10] : null,
-                    InitiatingProcessFileName = values.Length > 11 ? values[11] : null,
-                    InitiatingProcessFileSize = values.Length > 12 ? values[12] : null,
-                    InitiatingProcessFolderPath = values.Length > 13 ? values[13] : null,
-                    InitiatingProcessId = values.Length > 14 ? values[14] : null,
-                    InitiatingProcessCommandLine = values.Length > 15 ? values[15] : null,
-                    InitiatingProcessCreationTime = values.Length > 16 ? values[16] : null,
-                    InitiatingProcessAccountDomain = values.Length > 17 ? values[17] : null,
-                    InitiatingProcessAccountName = values.Length > 18 ? values[18] : null,
-                    InitiatingProcessAccountSid = values.Length > 19 ? values[19] : null,
-                    InitiatingProcessVersionInfoCompanyName = values.Length > 20 ? values[20] : null,
-                    InitiatingProcessVersionInfoProductName = values.Length > 21 ? values[21] : null,
-                    InitiatingProcessVersionInfoProductVersion = values.Length > 22 ? values[22] : null,
-                    InitiatingProcessVersionInfoInternalFileName = values.Length > 23 ? values[23] : null,
-                    InitiatingProcessVersionInfoOriginalFileName = values.Length > 24 ? values[24] : null,
-                    InitiatingProcessVersionInfoFileDescription = values.Length > 25 ? values[25] : null,
-                    InitiatingProcessParentId = values.Length > 26 ? values[26] : null,
-                    InitiatingProcessParentFileName = values.Length > 27 ? values[27] : null,
-                    InitiatingProcessParentCreationTime = values.Length > 28 ? values[28] : null,
-                    InitiatingProcessLogonId = values.Length > 29 ? values[29] : null,
-                    ReportId = values.Length > 30 ? values[30] : null
+                    Timestamp = GetValue(values, headerMap, "Timestamp"),
+                    DeviceId = GetValue(values, headerMap, "DeviceId"),
+                    DeviceName = GetValue(values, headerMap, "DeviceName"),
+                    ActionType = GetValue(values, headerMap, "ActionType"),
+                    FileName = GetValue(values, headerMap, "FileName"),
+                    FolderPath = GetValue(values, headerMap, "FolderPath"),
+                    SHA1 = GetValue(values, headerMap, "SHA1"),
+                    SHA256 = GetValue(values, headerMap, "SHA256"),
+                    InitiatingProcessSHA1 = GetValue(values, headerMap, "InitiatingProcessSHA1"),
+                    InitiatingProcessSHA256 = GetValue(values, headerMap, "InitiatingProcessSHA256"),
+                    InitiatingProcessMD5 = GetValue(values, headerMap, "InitiatingProcessMD5"),
+                    InitiatingProcessFileName = GetValue(values, headerMap, "InitiatingProcessFileName"),
+                    InitiatingProcessFileSize = GetValue(values, headerMap, "InitiatingProcessFileSize"),
+                    InitiatingProcessFolderPath = GetValue(values, headerMap, "InitiatingProcessFolderPath"),
+                    InitiatingProcessId = GetValue(values, headerMap, "InitiatingProcessId"),
+                    InitiatingProcessCommandLine = GetValue(values, headerMap, "InitiatingProcessCommandLine"),
+                    InitiatingProcessCreationTime = GetValue(values, headerMap, "InitiatingProcessCreationTime"),
+                    InitiatingProcessAccountDomain = GetValue(values, headerMap, "InitiatingProcessAccountDomain"),
+                    InitiatingProcessAccountName = GetValue(values, headerMap, "InitiatingProcessAccountName"),
+                    InitiatingProcessAccountSid = GetValue(values, headerMap, "InitiatingProcessAccountSid"),
+                    InitiatingProcessVersionInfoCompanyName = GetValue(values, headerMap, "InitiatingProcessVersionInfoCompanyName"),
+                    InitiatingProcessVersionInfoProductName = GetValue(values, headerMap, "InitiatingProcessVersionInfoProductName"),
+                    InitiatingProcessVersionInfoProductVersion = GetValue(values, headerMap, "InitiatingProcessVersionInfoProductVersion"),
+                    InitiatingProcessVersionInfoInternalFileName = GetValue(values, headerMap, "InitiatingProcessVersionInfoInternalFileName"),
+                    InitiatingProcessVersionInfoOriginalFileName = GetValue(values, headerMap, "InitiatingProcessVersionInfoOriginalFileName"),
+                    InitiatingProcessVersionInfoFileDescription = GetValue(values, headerMap, "InitiatingProcessVersionInfoFileDescription"),
+                    InitiatingProcessParentId = GetValue(values, headerMap, "InitiatingProcessParentId"),
+                    InitiatingProcessParentFileName = GetValue(values, headerMap, "InitiatingProcessParentFileName"),
+                    InitiatingProcessParentCreationTime = GetValue(values, headerMap, "InitiatingProcessParentCreationTime"),
+                    InitiatingProcessLogonId = GetValue(values, headerMap, "InitiatingProcessLogonId"),
+                    ReportId = GetValue(values, headerMap, "ReportId")
                 };
 
+
+                // Get the JSON string from the CSV which is in the AdditionalFields property
+                string? additionalFieldsString = GetValue(values, headerMap, "AdditionalFields");
+
+
                 // Parse the AdditionalFields JSON if it exists
-                if (values.Length > 31 && !string.IsNullOrWhiteSpace(values[31]))
+                if (additionalFieldsString is not null && !string.IsNullOrWhiteSpace(additionalFieldsString))
                 {
-                    // Get the JSON string from the CSV which is in the AdditionalFields property
-                    string additionalFieldsString = values[31];
 
                     // Format the JSON string so the next method won't throw error
                     string FormattedJSONString = EnsureAllValuesAreQuoted(additionalFieldsString);
@@ -248,6 +262,22 @@ private static string[] ParseCsvLine(string line)
         }
 
 
+        /// <summary>
+        /// Gets the value of a column from the CSV row and returns it
+        /// Returns null if the column does not exist or the value is empty
+        /// </summary>
+        /// <param name="values"></param>
+        /// <param name="headerMap"></param>
+        /// <param name="columnName"></param>
+        /// <returns></returns>
+        private static string? GetValue(string[] values, Dictionary<string, int> headerMap, string columnName)
+        {
+            if (headerMap.TryGetValue(columnName, out int index) && index < values.Length)
+            {
+                return values[index];
+            }
+            return null;
+        }
 
 
         // 1. (?<=:)

@@ -458,6 +458,84 @@ public static void BuildAllowMSFT(string StagingArea, bool IsAudit, ulong? LogSi
 
 
 
+        /// <summary>
+        /// Creates a base policy based on the DefaultWindows template
+        /// </summary>
+        /// <param name="StagingArea"></param>
+        /// <param name="IsAudit"></param>
+        /// <param name="LogSize"></param>
+        /// <param name="deploy"></param>
+        /// <param name="RequireEVSigners"></param>
+        /// <param name="EnableScriptEnforcement"></param>
+        /// <param name="TestMode"></param>
+        public static void BuildDefaultWindows(string StagingArea, bool IsAudit, ulong? LogSize, bool deploy, bool RequireEVSigners, bool EnableScriptEnforcement, bool TestMode, bool? deployAppControlSupplementalPolicy)
+        {
+
+            string policyName;
+
+            if (IsAudit)
+            {
+                EventLogUtility.SetLogSize(LogSize ?? 0);
+
+                policyName = "DefaultWindowsAudit";
+            }
+            else
+            {
+                policyName = "DefaultWindows";
+            }
+
+            // Paths only used during staging area processing
+            string tempPolicyPath = Path.Combine(StagingArea, $"{policyName}.xml");
+            string tempPolicyCIPPath = Path.Combine(StagingArea, $"{policyName}.cip");
+
+            // Final Policy Path
+            string finalPolicyPath = Path.Combine(GlobalVars.UserConfigDir, $"{policyName}.xml");
+
+            // Get/Deploy the block rules
+            GetBlockRules(StagingArea, deploy);
+
+            Logger.Write("Copying the DefaultWindows.xml from Windows directory to the Staging Area");
+
+            File.Copy(@"C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml", tempPolicyPath, true);
+
+            Logger.Write("Resetting the policy ID and assigning policy name");
+
+            // Get the policy ID of the policy being created
+            string policyID = SetCiPolicyInfo.Set(tempPolicyPath, true, $"{policyName} - {DateTime.Now.ToString("MM-dd-yyyy", CultureInfo.InvariantCulture)}", null, null);
+
+            if (deployAppControlSupplementalPolicy == true)
+            {
+                // Supply the policy ID of the policy being deployed to this method
+                SupplementalForSelf.Deploy(StagingArea, policyID);
+            }
+
+            SetCiPolicyInfo.Set(tempPolicyPath, new Version("1.0.0.0"));
+
+            CiRuleOptions.Set(
+                tempPolicyPath,
+                template: CiRuleOptions.PolicyTemplate.Base,
+                EnableAuditMode: IsAudit,
+                RequireEVSigners: RequireEVSigners,
+                ScriptEnforcement: EnableScriptEnforcement,
+                TestMode: TestMode);
+
+
+            if (deploy)
+            {
+                Logger.Write("Converting the policy file to .CIP binary");
+
+                PolicyToCIPConverter.Convert(tempPolicyPath, tempPolicyCIPPath);
+
+                CiToolHelper.UpdatePolicy(tempPolicyCIPPath);
+            }
+
+            File.Copy(tempPolicyPath, finalPolicyPath, true);
+
+        }
+
+
+
+
         /// <summary>
         /// Gets the latest Microsoft Recommended block rules for User Mode files, removes the audit mode policy rule option and sets HVCI to strict
         /// It generates a XML file compliant with CI Policies Schema.

@@ -8,7 +8,7 @@ public static class MoveUserModeToKernelMode
         /// <summary>
         /// Moves all User mode AllowedSigners in the User mode signing scenario to the Kernel mode signing scenario and then
         /// deletes the entire User mode signing scenario block
-        /// This is used during the creation of Strict Kernel-mode AppControl policy for complete BYOVD protection scenario.
+        /// This is used during the creation of Strict Kernel-mode App Control policy for complete BYOVD protection scenario.
         /// It doesn't consider <FileRulesRef> node in the SigningScenario 12 when deleting it because for kernel-mode policy everything is signed and we don't deal with unsigned files.
         /// </summary>
         /// <param name="filePath">The path to the XML file</param>

@@ -4,7 +4,7 @@ namespace WDACConfig
     public static class XMLOps
     {
         /// <summary>
-        /// Uses the scan data to generate an AppControl policy and makes sure the data are unique
+        /// Uses the scan data to generate an App Control policy and makes sure the data are unique
         /// </summary>
         /// <param name="incomingData"></param>
         /// <param name="xmlFilePath"></param>

@@ -97,17 +97,17 @@
                 <NavigationViewItem x:Name="BuildNewCertificateNavItem" Content="Build New Certificate" ToolTipService.ToolTip="Generate Certificates that are suitable for signing App Control Policies" Tag="BuildNewCertificate"/>
 
                 <!-- Make it expanded by default to show the import feature to the user at first sight -->
-                <NavigationViewItem x:Name="CreatePolicyFromEventLogsNavItem" IsExpanded="True" Content="Create policy from Event Logs" ToolTipService.ToolTip="Create AppControl policy either from the local event logs or EVTX files" Tag="EventLogsPolicyCreation">
+                <NavigationViewItem x:Name="CreatePolicyFromEventLogsNavItem" IsExpanded="True" Content="Create policy from Event Logs" ToolTipService.ToolTip="Create App Control policy either from the local event logs or EVTX files" Tag="EventLogsPolicyCreation">
 
                     <NavigationViewItem.MenuItems>
-                        <NavigationViewItem x:Name="CreatePolicyFromMDEAHNavItem" Content="Create policy from MDE Advanced Hunting" ToolTipService.ToolTip="Create AppControl policy from Microsoft Defender for Endpoint (MDE) Advanced Hunting Logs" Tag="MDEAHPolicyCreation"/>
+                        <NavigationViewItem x:Name="CreatePolicyFromMDEAHNavItem" Content="MDE Advanced Hunting" ToolTipService.ToolTip="Create App Control policy from Microsoft Defender for Endpoint (MDE) Advanced Hunting Logs" Tag="MDEAHPolicyCreation" />
                     </NavigationViewItem.MenuItems>
 
                 </NavigationViewItem>
 
                 <NavigationViewItemSeparator/>
 
-                <NavigationViewItem x:Name="DeploymentNavItem" Content="Deploy AppControl Policy" ToolTipService.ToolTip="Deploy signed or unsigned AppControl policies on the system" Tag="Deployment"/>
+                <NavigationViewItem x:Name="DeploymentNavItem" Content="Deploy App Control Policy" ToolTipService.ToolTip="Deploy signed or unsigned AppControl policies on the system" Tag="Deployment"/>
 
                 <NavigationViewItem x:Name="GetCodeIntegrityHashesNavItem" Content="Get Code Integrity Hashes" ToolTipService.ToolTip="Get Code Integrity Hashes of files" Tag="GetCIHashes"/>
 

@@ -39,9 +39,9 @@ public sealed partial class MainWindow : Window
             { typeof(Pages.Logs), "Logs" },
             { typeof(Pages.Simulation), "Simulation" },
             { typeof(Pages.Update), "Update" },
-            { typeof(Pages.Deployment), "Deploy AppControl Policy" },
+            { typeof(Pages.Deployment), "Deploy App Control Policy" },
             { typeof(Pages.EventLogsPolicyCreation), "Create policy from Event Logs" },
-            { typeof(Pages.MDEAHPolicyCreation), "Create policy from MDE Advanced Hunting" },
+            { typeof(Pages.MDEAHPolicyCreation), "MDE Advanced Hunting" },
             { typeof(Pages.AllowNewApps), "Allow New Apps" },
             { typeof(Pages.BuildNewCertificate), "Build New Certificate" },
             { typeof(Pages.UpdatePageCustomMSIXPath), "Custom MSIX Path" }, // sub-page
@@ -304,7 +304,7 @@ private void OnIconsStylesChanged(string? newIconsStyle)
                             Source = new Scan()
                         };
 
-                        // Create Policy from MDE Advanced Hunting
+                        // MDE Advanced Hunting
                         CreatePolicyFromMDEAHNavItem.Icon = new AnimatedIcon
                         {
                             Margin = new Thickness(0, -8, -8, -8),
@@ -434,7 +434,7 @@ private void OnIconsStylesChanged(string? newIconsStyle)
                             Foreground = accentBrush
                         };
 
-                        // Create Policy from MDE Advanced Hunting
+                        // MDE Advanced Hunting
                         CreatePolicyFromMDEAHNavItem.Icon = new FontIcon
                         {
                             Glyph = "\uEB44",
@@ -548,7 +548,7 @@ private void OnIconsStylesChanged(string? newIconsStyle)
                             Glyph = "\uEA18"
                         };
 
-                        // Create Policy from MDE Advanced Hunting
+                        // MDE Advanced Hunting
                         CreatePolicyFromMDEAHNavItem.Icon = new FontIcon
                         {
                             Glyph = "\uEB44"

@@ -11,7 +11,7 @@
   <Identity
     Name="AppControlManager"
     Publisher="CN=SelfSignedCertForAppControlManager"
-    Version="1.5.0.0" />
+    Version="1.5.1.0" />
 
   <mp:PhoneIdentity PhoneProductId="199a23ec-7cb6-4ab5-ab50-8baca348bc79" PhonePublisherId="00000000-0000-0000-0000-000000000000"/>