Skip to content

Commit

Permalink
AppControl Manager v1.8.8.0 (#580)
Browse files Browse the repository at this point in the history 
The AppControl Manager now seamlessly integrates Microsoft Defender for Endpoint Advanced Hunting, allowing you to perform queries directly within the app. You can retrieve and analyze hunting results with advanced filtering and sorting options. From there, you can effortlessly create App Control policies and deploy them via Intune—all without ever leaving the app.

Technical details: the implemented code is fully compatible with the ahead of time compilation (Native AOT), resulting in high performance source generated code. So whether you are using CSV files from your local system or retrieving the results from the cloud, they are processes very quickly.

AppControl Manager employs MediumIL (Medium Integrity Level) when running as an Administrator, ensuring that non-elevated processes cannot access its memory or attach debuggers. Given that the app handles sensitive information—such as Microsoft 365 authentication tokens stored in private variables—this design decision safeguards these tokens from unauthorized, unelevated access or tampering.

AppControl Manager leverages MSAL from Microsoft to manage Microsoft 365 authentications. This industry-standard library adheres to best practices for secure authentication token management.

Following the Least Privilege Access, the only required permission is ThreatHunting.Read.All

Bumped version to 1.8.8.0

Improved the toolbar menus in Event logs page and MDE Advanced Hunting page.

Adjusted the margin of the titles in the pages to reduce the empty spaces.

Updated image links in the documents.

Removed the "WDACConfig" folder from the repository.

Updated the documents to cover the new changes and features introduced in this version.

Improved the About section in the settings page. The links are now dynamically relocated based on the app window's width.
  • Loading branch information
@HotCakeX
HotCakeX authored Feb 3, 2025
1 parent 48a3332 commit 5124358
Show file tree
Hide file tree
Showing 43 changed files with 1,692 additions and 569 deletions.
2 changes: 1 addition & 1 deletion AppControl Manager/AppControl Manager.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@
<AssemblyName>AppControlManager</AssemblyName>
<PublishAot>False</PublishAot>
<ErrorReport>send</ErrorReport>
<FileVersion>1.8.7.0</FileVersion>
<FileVersion>1.8.8.0</FileVersion>
<AssemblyVersion>$(FileVersion)</AssemblyVersion>
<NeutralLanguage>en-US</NeutralLanguage>
<PackageLicenseFile>LICENSE</PackageLicenseFile>
Expand Down
66 changes: 26 additions & 40 deletions AppControl Manager/IntelGathering/GetMDEAdvancedHuntingLogsData.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ internal static class GetMDEAdvancedHuntingLogsData
internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data)
{


// HashSet to store the output, ensures the data are unique and signed data are prioritized over unsigned data
FileIdentitySignatureBasedHashSet fileIdentities = new();

Expand Down Expand Up @@ -89,8 +88,8 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
SHA256Hash = possibleCodeIntegrityAuditEvent.SHA256,
SHA1FlatHash = possibleCodeIntegrityAuditEvent.Sha1FlatHash,
SHA256FlatHash = possibleCodeIntegrityAuditEvent.Sha256FlatHash,
USN = GetLongValue(possibleCodeIntegrityAuditEvent.USN),
SISigningScenario = GetIntValue(possibleCodeIntegrityAuditEvent.SiSigningScenario) ?? 1,
USN = possibleCodeIntegrityAuditEvent.USN,
SISigningScenario = possibleCodeIntegrityAuditEvent.SiSigningScenario ?? 1,
PolicyName = possibleCodeIntegrityAuditEvent.PolicyName,
PolicyID = possibleCodeIntegrityAuditEvent.PolicyID,
PolicyHash = possibleCodeIntegrityAuditEvent.PolicyHash,
Expand Down Expand Up @@ -130,13 +129,13 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
FileSignerInfo signerInfo = new()
{

TotalSignatureCount = GetIntValue(correlatedEvent.TotalSignatureCount),
Signature = GetIntValue(correlatedEvent.Signature),
TotalSignatureCount = correlatedEvent.TotalSignatureCount,
Signature = correlatedEvent.Signature,
Hash = correlatedEvent.Hash,
SignatureType = GetSignatureType(GetIntValue(correlatedEvent.SignatureType)),
ValidatedSigningLevel = GetValidatedRequestedSigningLevel(GetIntValue(correlatedEvent.ValidatedSigningLevel)),
VerificationError = GetVerificationError(GetIntValue(correlatedEvent.VerificationError)),
Flags = GetIntValue(correlatedEvent.Flags),
Flags = correlatedEvent.Flags,
NotValidBefore = GetEventDataDateTimeValue(correlatedEvent.NotValidBefore),
NotValidAfter = GetEventDataDateTimeValue(correlatedEvent.NotValidAfter),
PublisherName = PublisherName,
Expand Down Expand Up @@ -196,8 +195,8 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
SHA256Hash = possibleCodeIntegrityBlockEvent.SHA256,
SHA1FlatHash = possibleCodeIntegrityBlockEvent.Sha1FlatHash,
SHA256FlatHash = possibleCodeIntegrityBlockEvent.Sha256FlatHash,
USN = GetLongValue(possibleCodeIntegrityBlockEvent.USN),
SISigningScenario = GetIntValue(possibleCodeIntegrityBlockEvent.SiSigningScenario) ?? 1,
USN = possibleCodeIntegrityBlockEvent.USN,
SISigningScenario = possibleCodeIntegrityBlockEvent.SiSigningScenario ?? 1,
PolicyName = possibleCodeIntegrityBlockEvent.PolicyName,
PolicyID = possibleCodeIntegrityBlockEvent.PolicyID,
PolicyHash = possibleCodeIntegrityBlockEvent.PolicyHash,
Expand Down Expand Up @@ -237,13 +236,13 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
FileSignerInfo signerInfo = new()
{

TotalSignatureCount = GetIntValue(correlatedEvent.TotalSignatureCount),
Signature = GetIntValue(correlatedEvent.Signature),
TotalSignatureCount = correlatedEvent.TotalSignatureCount,
Signature = correlatedEvent.Signature,
Hash = correlatedEvent.Hash,
SignatureType = GetSignatureType(GetIntValue(correlatedEvent.SignatureType)),
ValidatedSigningLevel = GetValidatedRequestedSigningLevel(GetIntValue(correlatedEvent.ValidatedSigningLevel)),
VerificationError = GetVerificationError(GetIntValue(correlatedEvent.VerificationError)),
Flags = GetIntValue(correlatedEvent.Flags),
Flags = correlatedEvent.Flags,
NotValidBefore = GetEventDataDateTimeValue(correlatedEvent.NotValidBefore),
NotValidAfter = GetEventDataDateTimeValue(correlatedEvent.NotValidAfter),
PublisherName = PublisherName,
Expand Down Expand Up @@ -303,8 +302,8 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
SHA256Hash = possibleAppLockerAuditEvent.SHA256,
SHA1FlatHash = possibleAppLockerAuditEvent.Sha1FlatHash,
SHA256FlatHash = possibleAppLockerAuditEvent.Sha256FlatHash,
USN = GetLongValue(possibleAppLockerAuditEvent.USN),
SISigningScenario = GetIntValue(possibleAppLockerAuditEvent.SiSigningScenario) ?? 1,
USN = possibleAppLockerAuditEvent.USN,
SISigningScenario = possibleAppLockerAuditEvent.SiSigningScenario ?? 1,
PolicyName = possibleAppLockerAuditEvent.PolicyName,
PolicyID = possibleAppLockerAuditEvent.PolicyID,
PolicyHash = possibleAppLockerAuditEvent.PolicyHash,
Expand Down Expand Up @@ -344,13 +343,13 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
FileSignerInfo signerInfo = new()
{

TotalSignatureCount = GetIntValue(correlatedEvent.TotalSignatureCount),
Signature = GetIntValue(correlatedEvent.Signature),
TotalSignatureCount = correlatedEvent.TotalSignatureCount,
Signature = correlatedEvent.Signature,
Hash = correlatedEvent.Hash,
SignatureType = GetSignatureType(GetIntValue(correlatedEvent.SignatureType)),
ValidatedSigningLevel = GetValidatedRequestedSigningLevel(GetIntValue(correlatedEvent.ValidatedSigningLevel)),
VerificationError = GetVerificationError(GetIntValue(correlatedEvent.VerificationError)),
Flags = GetIntValue(correlatedEvent.Flags),
Flags = correlatedEvent.Flags,
NotValidBefore = GetEventDataDateTimeValue(correlatedEvent.NotValidBefore),
NotValidAfter = GetEventDataDateTimeValue(correlatedEvent.NotValidAfter),
PublisherName = PublisherName,
Expand Down Expand Up @@ -408,8 +407,8 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
SHA256Hash = possibleAppLockerBlockEvent.SHA256,
SHA1FlatHash = possibleAppLockerBlockEvent.Sha1FlatHash,
SHA256FlatHash = possibleAppLockerBlockEvent.Sha256FlatHash,
USN = GetLongValue(possibleAppLockerBlockEvent.USN),
SISigningScenario = GetIntValue(possibleAppLockerBlockEvent.SiSigningScenario) ?? 1,
USN = possibleAppLockerBlockEvent.USN,
SISigningScenario = possibleAppLockerBlockEvent.SiSigningScenario ?? 1,
PolicyName = possibleAppLockerBlockEvent.PolicyName,
PolicyID = possibleAppLockerBlockEvent.PolicyID,
PolicyHash = possibleAppLockerBlockEvent.PolicyHash,
Expand Down Expand Up @@ -449,13 +448,13 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
FileSignerInfo signerInfo = new()
{

TotalSignatureCount = GetIntValue(correlatedEvent.TotalSignatureCount),
Signature = GetIntValue(correlatedEvent.Signature),
TotalSignatureCount = correlatedEvent.TotalSignatureCount,
Signature = correlatedEvent.Signature,
Hash = correlatedEvent.Hash,
SignatureType = GetSignatureType(GetIntValue(correlatedEvent.SignatureType)),
ValidatedSigningLevel = GetValidatedRequestedSigningLevel(GetIntValue(correlatedEvent.ValidatedSigningLevel)),
VerificationError = GetVerificationError(GetIntValue(correlatedEvent.VerificationError)),
Flags = GetIntValue(correlatedEvent.Flags),
Flags = correlatedEvent.Flags,
NotValidBefore = GetEventDataDateTimeValue(correlatedEvent.NotValidBefore),
NotValidAfter = GetEventDataDateTimeValue(correlatedEvent.NotValidAfter),
PublisherName = PublisherName,
Expand All @@ -480,9 +479,7 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
// Add the entire event package to the output list
_ = fileIdentities.Add(eventData);


}

}


Expand All @@ -508,7 +505,6 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
return null;
}


/// <summary>
/// Method to safely get an integer value from string
/// </summary>
Expand All @@ -519,30 +515,24 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
return data is not null && int.TryParse(data, NumberStyles.Integer, CultureInfo.InvariantCulture, out int result) ? result : null;
}



/// <summary>
/// Converts string to DateTime
/// Safely converts string to DateTime
/// </summary>
private static DateTime? GetEventDataDateTimeValue(string? data)
{
return data is not null && DateTime.TryParse(data, CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind, out DateTime result) ? result : null;
}



private static long? GetLongValue(string? data)
{
return data is not null && long.TryParse(data, NumberStyles.Integer, CultureInfo.InvariantCulture, out long result) ? result : null;
}

/// <summary>
/// Safely converts string to GUID
/// </summary>
/// <param name="data"></param>
/// <returns></returns>
private static Guid? GetGuidValue(string? data)
{
return data is not null && Guid.TryParse(data, out Guid guid) ? guid : null;
}



/// <summary>
/// Resolves the Validated/Requested Signing Level int to friendly string
/// </summary>
Expand All @@ -562,7 +552,6 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
}
}


/// <summary>
/// Resolves the VerificationError int to a friendly string
/// </summary>
Expand All @@ -581,7 +570,6 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
}
}


/// <summary>
/// Resolves the SignatureType int to a friendly string
/// </summary>
Expand All @@ -600,8 +588,6 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
}
}


#endregion


}
Loading

0 comments on commit 5124358

Please sign in to comment.