Cyber security

WDAC Rule Levels Comparison And Guide – Understanding File Attribute-Based Security Measures

We delve into the hierarchy of WDAC rule levels, ranging from the most secure to the least secure, providing insight into their significance and implications for system security.

Understanding these levels is crucial for effectively implementing file attribute-based security measures in your Windows environment.

This document lists all of the levels of WDAC rules. From Top to bottom, from the most secure to the least secure, the levels are:

0. Hash

  • File’s SHA2-256 Authenticode hash
  • File’s SHA2-256 Page hash

1. WHQLFilePublisher

  • One of the Intermediate certificates of the file
  • Leaf certificate of the file
  • File’s version
  • Another attribute of the file (FileDescription, InternalName, OriginalFileName, PackageFamilyName, ProductName, Filepath)
  • File’s WHQL EKU OID

2. FilePublisher

  • One of the Intermediate certificates of the file
  • Leaf certificate of the file
  • File’s version
  • Another attribute of the file (FileDescription, InternalName, OriginalFileName, PackageFamilyName, ProductName, Filepath)

3. WHQLPublisher

  • One of the Intermediate certificates of the file
  • Leaf certificate of the file
  • File’s WHQL EKU OID

4. SignedVersion

  • One of the Intermediate certificates of the file
  • Leaf certificate of the file
  • File’s version

5. Publisher

  • One of the Intermediate certificates of the file
  • Leaf certificate of the file

6. WHQL

  • Intermediate certificate of the file that belongs to Microsoft as part of the WHQL program
  • File’s WHQL EKU OID

7. LeafCertificate

  • Leaf certificate of the file

8. PcaCertificate

  • One of the Intermediate certificates of the file

9. RootCertificate

  • One of the Intermediate certificates of the file

10. FileName

  • One of the attributes of the file (FileDescription, InternalName, OriginalFileName, PackageFamilyName, ProductName, Filepath)

Important

These properties are mutable.

11. FilePath

  • Path of the file on disk

About SpecificFileNameLevel Options

WDAC creates file rules based on file attributes when you scan a folder using a level such as FilePublisher. Each file rule has a MinimumVersion and only one of the six SpecificFileNameLevels.

For instance, suppose a folder has 10 signed files with identical signatures and product names (or File Descriptions etc.).

In that case, WDAC creates a single file rule with the product name (or File Description etc.) and the lowest version of the 10 files. This file rule is sufficient to allow all 10 files.

The MinimumVersion is the smallest version among the files with the same signature and SpecificFileNameLevel in the folder.

Find more information in Microsoft Learn

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

20 minutes ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

21 hours ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

23 hours ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

1 day ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

1 day ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

1 day ago