Merge pull request #6 from microsoft/master

Synced from main

AaronLocker/Create-Policies-AppLocker.ps1

@@ -126,14 +126,14 @@ if ($Rescan)
 }
 
 ####################################################################################################
-# Build AppLocker pub rule data for Exe files to blacklist if needed
+# Build AppLocker pub rule data for Exe files to DenyList if needed
 ####################################################################################################
-if ( $Rescan -or !(Test-Path($ExeBlacklistData) ) )
+if ( $Rescan -or !(Test-Path($ExeDenyListData) ) )
 {
     # Create a hash collection for publisher information. Key on publisher name, product name, and binary name.
     # Add to collection if equivalent is not already in the collection.
     $pubCollection = @{}
-    $exeFilesToBlacklist | foreach {
+    $exeFilesToDenyList | foreach {
 	    $pub = (Get-AppLockerFileInformation "$_").Publisher
         if ($null -ne $pub)
         {
@@ -142,14 +142,14 @@ if ( $Rescan -or !(Test-Path($ExeBlacklistData) ) )
         }
         else
         {
-            Write-Warning "UNABLE TO BUILD BLACKLIST RULE FOR $_"
+            Write-Warning "UNABLE TO BUILD DENYLIST RULE FOR $_"
         }
     }
 
     $pubCollection.Values | 
         Select-Object PublisherName, ProductName, BinaryName | 
         ConvertTo-Csv -NoTypeInformation |
-        Out-File $ExeBlacklistData -Encoding unicode
+        Out-File $ExeDenyListData -Encoding unicode
 }
 
 ####################################################################################################
@@ -166,10 +166,10 @@ if ( ! ( (Test-Path($windirTxt)) -and (Test-Path($PfTxt)) -and (Test-Path($Pf86T
     return
 }
 
-if ( ! (Test-Path($ExeBlacklistData)) )
+if ( ! (Test-Path($ExeDenyListData)) )
 {
     $errMsg = "The following file is missing:`n" +
-        "`t" + $ExeBlacklistData +"`n"
+        "`t" + $ExeDenyListData +"`n"
     Write-Error $errMsg
     return
 }
@@ -243,16 +243,16 @@ $Wr_raw_PF | foreach {
 $xDocument = [xml](Get-Content $defRulesXml)
 
 ####################################################################################################
-# Incorporate data for EXE files to blacklist under Windir
+# Incorporate data for EXE files to DenyList under Windir
 ####################################################################################################
 
-# Incorporate the EXE blacklist into the document where the one PLACEHOLDER_WINDIR_EXEBLACKLIST
+# Incorporate the EXE DenyList into the document where the one PLACEHOLDER_WINDIR_EXEDENYLIST
 # placeholder is.
-$xPlaceholder = $xDocument.SelectNodes("//PLACEHOLDER_WINDIR_EXEBLACKLIST")[0]
+$xPlaceholder = $xDocument.SelectNodes("//PLACEHOLDER_WINDIR_EXEDENYLIST")[0]
 $xExcepts = $xPlaceholder.ParentNode
 
-$csvExeBlacklistData = (Get-Content $ExeBlacklistData | ConvertFrom-Csv)
-$csvExeBlacklistData | foreach {
+$csvExeDenyListData = (Get-Content $ExeDenyListData | ConvertFrom-Csv)
+$csvExeDenyListData | foreach {
     # Create a FilePublisherCondition element with the publisher attributes
     $elem = $xDocument.CreateElement("FilePublisherCondition")
     $elem.SetAttribute("PublisherName", $_.PublisherName)
@@ -270,7 +270,7 @@ $csvExeBlacklistData | foreach {
 # Remove the placeholder element
 $xExcepts.RemoveChild($xPlaceholder) | Out-Null
 
-Write-Host "Processing additional safe paths to whitelist..." -ForegroundColor Cyan
+Write-Host "Processing additional safe paths to AllowList..." -ForegroundColor Cyan
 # Incorporate authorized safe paths into the document
 # Add "allow" for Everyone for Exe, Dll, and Script rules
 $xRuleCollections = $xDocument.SelectNodes("//RuleCollection[@Type='Exe' or @Type='Script' or @Type='Dll']")
@@ -475,7 +475,7 @@ $signersToBuildRulesFor | foreach {
 
             if ($publisher.ToLower().Contains("microsoft") -and $product.Length -eq 0 -and ($ruleCollection.Length -eq 0 -or $ruleCollection -eq "Exe"))
             {
-                Write-Warning -Message ("Warning: Trusting all Microsoft-signed files is an overly-broad whitelisting strategy")
+                Write-Warning -Message ("Warning: Trusting all Microsoft-signed files is an overly-broad AllowListing strategy")
             }
 
             if ($ruleCollection)

AaronLocker/Create-Policies-WDAC.ps1

@@ -376,15 +376,15 @@ Merge-CIPolicy -OutputFilePath $WDACAllowRulesXMLFile -PolicyPaths $WDACAllowRul
 
 
 ###################################################################################################
-# Create block policy from Exe files to blacklist if needed. Merge the deny rules with the allow all example policy.
+# Create block policy from Exe files to DenyList if needed. Merge the deny rules with the allow all example policy.
 ####################################################################################################
 if ( $Rescan -or !(Test-Path($WDACBlockPolicyXMLFile) ) )
 {
     Write-Host "Processing EXE files to block..." -ForegroundColor Cyan
     # Create a hash collection for publisher information. Key on publisher name, product name, and binary name.
     # Add to collection if equivalent is not already in the collection.
     $WDACExeFilesToBlock = @()
-    $WDACExeFilesToBlock += $exeFilesToBlackList
+    $WDACExeFilesToBlock += $exeFilesToDenyList
 	$WDACBlockRules = & New-CIPolicyRule  -DriverFilePath $WDACExeFilesToBlock -Level FilePublisher -Fallback FileName, Hash, FilePath -Deny
     New-CIPolicy -Rules $WDACBlockRules -FilePath $WDACBlockPolicyXMLFile -UserPEs -MultiplePolicyFormat
 }

AaronLocker/Create-Policies.ps1

@@ -50,7 +50,7 @@ Sysinternals AccessChk is available here:
 or run .\Support\DownloadAccesschk.ps1, which downloads AccessChk.exe to the main AaronLocker directory.
 
 .PARAMETER Rescan
-If this switch is set, this script scans the Windows and ProgramFiles directories for user-writable subdirectories, and captures data about EXE files to blacklist.
+If this switch is set, this script scans the Windows and ProgramFiles directories for user-writable subdirectories, and captures data about EXE files to DenyList.
 If the results from a previous scan are found in the expected location and this switch is not specified, the script does not perform those scans. If those results are not found, the script performs the scan even if this switch is not set.
 It is STRONGLY recommended that the scanning be performed with administrative rights.
 
@@ -218,11 +218,11 @@ if (($Rescan) -and ($AppLockerOrWDAC -eq "WDAC") -and !($ProcessWDACLikeAppLocke
 # Process common custom inputs once before calling AppLocker- and WDAC-specific scripts
 ####################################################################################################
 # Get Block List -- WDAC could potentially use recommended blocks policy instead? If so, move this back to AppLocker-specific script
-if ( $Rescan -or ( ($AppLockerOrWDAC -in "Both","AppLocker") -and !(Test-Path($ExeBlacklistData) ) ) -or ( ($AppLockerOrWDAC -in "Both","WDAC") ) )
+if ( $Rescan -or ( ($AppLockerOrWDAC -in "Both","AppLocker") -and !(Test-Path($ExeDenyListData) ) ) -or ( ($AppLockerOrWDAC -in "Both","WDAC") ) )
 {
-    Write-Host "Get EXE files to blacklist for later processing..." -ForegroundColor Cyan
-    # Get the EXE files to blacklist from the script that produces that list.
-    $exeFilesToBlacklist = (& $ps1_GetExeFilesToBlacklist)
+    Write-Host "Get EXE files to DenyList for later processing..." -ForegroundColor Cyan
+    # Get the EXE files to DenyList from the script that produces that list.
+    $exeFilesToDenyList = (& $ps1_GetExeFilesToDenyList)
 }
 
 # Get additional authorized safe paths from the script that produces that list 

AaronLocker/CustomizationInputs/GetExeFilesToBlacklist.ps1 → AaronLocker/CustomizationInputs/GetExeFilesToDenyList.ps1

@@ -3,7 +3,7 @@
 Script used by Create-Policies.ps1 to identify EXE files that should be disallowed by AppLocker for non-admin use. Can be edited if necessary.
 
 .DESCRIPTION
-This script outputs a list of file paths under %windir% that need to be specifically disallowed by whitelisting rules.
+This script outputs a list of file paths under %windir% that need to be specifically disallowed by AllowListing rules.
 The list of files is consumed by Create-Policies.ps1, which builds the necessary AppLocker rules to block them.
 You can edit this file as needed for your environment, although it is recommended that none of the programs
 identified in this script be removed.
@@ -15,19 +15,19 @@ http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-dow
 #>
 
 # --------------------------------------------------------------------------------
-# Files used to bypass whitelisting:
+# Files used to bypass AllowListing:
 
-# Find the multiple instances of .NET executables that have been identified as whitelist bypasses.
+# Find the multiple instances of .NET executables that have been identified as AllowList bypasses.
 # Create-Policies.ps1 will remove redundant information.
-$dotnetProgramsToBlacklist =
+$dotnetProgramsToDenyList =
     "InstallUtil.exe", 
     "IEExec.exe", 
     "RegAsm.exe", 
     "RegSvcs.exe", 
     "MSBuild.exe",
     "Microsoft.Workflow.Compiler.exe"
 
-$dotnetProgramsToBlacklist | ForEach-Object {
+$dotnetProgramsToDenyList | ForEach-Object {
     Get-ChildItem -Path $env:windir\Microsoft.NET -Recurse -Include $_ | ForEach-Object { $_.FullName }
 }
 

AaronLocker/Get-AppLockerEvents.ps1

@@ -18,7 +18,7 @@ The -FromDateTime and -ToDateTime options enable you to limit events to time ran
 
 Data from each event is turned into a line of tab-delimited CSV. Lines are sorted before being output.
 
-Random-named temporary files created by PowerShell to test whitelisting policy are filtered out by default.
+Random-named temporary files created by PowerShell to test AllowListing policy are filtered out by default.
 
 Use the -ComputerName parameter to name a remote computer from which to retrieve live-log events (default logs or event collectors).
 Use the -WarningOnly, -ErrorOnly, -AllowedOnly, or -AllEvents switches to retrieve events other than errors and warnings.
@@ -104,7 +104,7 @@ Can be used with -FromDateTime to specify a date/time range. Date/time specified
 If specified, does not report modern-app AutoNGEN files that are unsigned and in the user's profile.
 
 .PARAMETER NoPSFilter
-If specified, does not try to filter out random-named PowerShell scripts used to determine whether whitelisting is in effect.
+If specified, does not try to filter out random-named PowerShell scripts used to determine whether AllowListing is in effect.
 
 .PARAMETER NoFilteredMachines
 By default, this script outputs a single artificial "empty" event line for every machine for which all observed events were filtered out.
@@ -388,7 +388,7 @@ Write-Verbose "XPath filter = $filter"
 # Match AutoNGEN native image file path
 $AutoNGENPattern = "^(%OSDRIVE%|C:)\\Users\\[^\\]*\\AppData\\Local\\Packages\\.*\\NATIVEIMAGES\\.*\.NI\.(EXE|DLL)$"
 
-# PowerShell script-policy-test file - PS creates files in user temp directory and tests against whitelisting policy to determine whether to run in ConstrainedLanguage mode.
+# PowerShell script-policy-test file - PS creates files in user temp directory and tests against AllowListing policy to determine whether to run in ConstrainedLanguage mode.
 # Filter out those test files by default.
 # Current implementation: match partial path of file in temp directory with form "XXXXXXXX.XXX.PS*" or "__PSScriptPolicyTest_XXXXXXXX.XXX.PS*"
 $PsPolicyTestPattern = "\\APPDATA\\LOCAL\\TEMP\\(__PSScriptPolicyTest_)?[A-Z0-9]{8}\.[A-Z0-9]{3}\.PS"

AaronLocker/Support/Config.ps1

@@ -28,7 +28,7 @@ $scanResultsDir         = [System.IO.Path]::Combine($rootDir, "ScanResults")
 ####### INPUTS
 
 # Script inputs
-$ps1_GetExeFilesToBlacklist     = [System.IO.Path]::Combine($customizationInputsDir, "GetExeFilesToBlacklist.ps1")
+$ps1_GetExeFilesToDenyList     = [System.IO.Path]::Combine($customizationInputsDir, "GetExeFilesToDenyList.ps1")
 $ps1_GetSafePathsToAllow        = [System.IO.Path]::Combine($customizationInputsDir, "GetSafePathsToAllow.ps1")
 $ps1_UnsafePathsToBuildRulesFor = [System.IO.Path]::Combine($customizationInputsDir, "UnsafePathsToBuildRulesFor.ps1")
 $fname_TrustedSigners           = "TrustedSigners.ps1"
@@ -42,8 +42,8 @@ $ps1_CreatePoliciesWDAC         = [System.IO.Path]::Combine($rootDir, "Create-Po
 # File prefixes for AppLocker and WDAC
 $rulesFileBase = "AppLockerRules-"
 $WDACrulesFileBase = "WDACRules-"
-# Path to results from scanning files listed in GetExeFilesToBlacklist
-$ExeBlacklistData = [System.IO.Path]::Combine($scanResultsDir, "ExeBlacklistData.txt")
+# Path to results from scanning files listed in GetExeFilesToDenyList
+$ExeDenyListData = [System.IO.Path]::Combine($scanResultsDir, "ExeDenyListData.txt")
 # Paths to "full" results of all user-writable directories under Windir and the ProgramFiles directories.
 # Written to when Rescan enabled; used to create the next set of files
 $windirFullXml    = [System.IO.Path]::Combine($scanResultsDir, "Writable_Full_windir.xml")