Skip to content

Commit

Permalink
Update How to Use Microsoft Defender for Endpoint Advanced Hunting Wi…
Browse files Browse the repository at this point in the history 
…th WDAC App Control.md
  • Loading branch information
@HotCakeX
HotCakeX committed Aug 15, 2024
1 parent f4883af commit 854ebb9
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions ...o Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,15 @@ You can create Audit mode policies using the WDACConfig module based on differen
For instance, the following command will create an Audit mode policy that once deployed on an endpoint, starts generating Audit logs for any file that runs but is not part of the Windows by default.

```powershell
New-WDACConfig -PrepDefaultWindowsAudit
New-WDACConfig -PolicyType DefaultWindows -Audit
```

<br>

Another option would be the following command, which will create an Audit mode policy that once deployed, starts generating Audit logs for any file that runs but is not signed by Microsoft certificates.

```powershell
New-WDACConfig -PrepMSFTOnlyAudit
New-WDACConfig -PolicyType AllowMicrosoft -Audit
```

<br>
Expand Down Expand Up @@ -129,16 +129,16 @@ The following video demonstrates the process of collecting the data from MDE Adv

After generating the Supplemental policies based off of the MDE Advanced Hunting data, you need to remove the Audit mode policies you deployed to your endpoints initially and replace them with Enforced mode policies.

#### [Generate Allow Microsoft Base Policy (Enforced Mode)](https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-WDACConfig#new-wdacconfig--makeallowmsftwithblockrules)
#### [Generate Allow Microsoft Base Policy (Enforced Mode)](https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-WDACConfig#new-wdacconfig--policytype)

```powershell
New-WDACConfig -MakeAllowMSFTWithBlockRules
New-WDACConfig -PolicyType AllowMicrosoft
```

#### [Generate Default Windows Base Policy (Enforced Mode)](https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-WDACConfig#new-wdacconfig--makedefaultwindowswithblockrules)
#### [Generate Default Windows Base Policy (Enforced Mode)](https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-WDACConfig#new-wdacconfig--policytype)

```powershell
New-WDACConfig -MakeDefaultWindowsWithBlockRules
New-WDACConfig -PolicyType DefaultWindows
```

<br>
Expand Down

0 comments on commit 854ebb9

Please sign in to comment.