From c19a697db542edd72138a1d8962715636198dd99 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Thu, 5 Aug 2021 14:42:03 -0700
Subject: [PATCH 1/6] Added cscript and wscript to the Microsoft recommended
 blocklist

---
 .../microsoft-recommended-block-rules.md                      | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 620cfbcd0b..663757d649 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -147,6 +147,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <Deny ID="ID_DENY_BGINFO" FriendlyName="bginfo.exe" FileName="BGINFO.Exe" MinimumFileVersion="4.21.0.0"/> 
   <Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
   <Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
+  <Deny ID="ID_DENY_CSCRIPT" FriendlyName="cscript.exe" FileName="cscript.exe" MinimumFileVersion = "65535.65535.65535.65535" />
   <Deny ID="ID_DENY_DBGHOST" FriendlyName="dbghost.exe" FileName="DBGHOST.Exe" MinimumFileVersion="2.3.0.0"/> 
   <Deny ID="ID_DENY_DBGSVC" FriendlyName="dbgsvc.exe" FileName="DBGSVC.Exe" MinimumFileVersion="2.3.0.0"/>
   <Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="65535.65535.65535.65535"/> 
@@ -176,6 +177,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />   
   <Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion="65535.65535.65535.65535"/> 
   <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
+  <Deny ID="ID_DENY_WSCRIPT" FriendlyName="wscript.exe"  FileName="wscript.exe" MinimumFileVersion = "65535.65535.65535.65535" />
   <Deny ID="ID_DENY_WSL" FriendlyName="wsl.exe" FileName="wsl.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
   <Deny ID="ID_DENY_WSLCONFIG" FriendlyName="wslconfig.exe" FileName="wslconfig.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
   <Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
@@ -887,6 +889,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <FileRuleRef RuleID="ID_DENY_BGINFO"/> 
   <FileRuleRef RuleID="ID_DENY_CBD"/> 
   <FileRuleRef RuleID="ID_DENY_CSI"/> 
+  <FileRuleRef RuleID="ID_DENY_CSCRIPT"/>
   <FileRuleRef RuleID="ID_DENY_DBGHOST"/> 
   <FileRuleRef RuleID="ID_DENY_DBGSVC"/> 
   <FileRuleRef RuleID="ID_DENY_DNX"/> 
@@ -915,6 +918,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <FileRuleRef RuleID="ID_DENY_WFC" /> 
   <FileRuleRef RuleID="ID_DENY_WINDBG"/> 
   <FileRuleRef RuleID="ID_DENY_WMIC"/>
+  <FileRuleRef RuleID="ID_DENY_WSCRIPT"/>
   <FileRuleRef RuleID="ID_DENY_WSL"/> 
   <FileRuleRef RuleID="ID_DENY_WSLCONFIG"/> 
   <FileRuleRef RuleID="ID_DENY_WSLHOST"/> 

From 721dacf61282f609e33e65a5786f3233b27a4338 Mon Sep 17 00:00:00 2001
From: Jordan Geurten <jogeurte@microsoft.com>
Date: Thu, 19 Aug 2021 12:49:28 -0700
Subject: [PATCH 2/6] Added latest security researcher to recommended block
 rules and sorted them.

---
 .../microsoft-recommended-block-rules.md            | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 663757d649..64ac22bc1a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -78,17 +78,18 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 
 |Name|Twitter|
 |---|---|
+|Alex Ionescu | @aionescu|
+|Brock Mammen| |
 |Casey Smith |@subTee| 
+|Jimmy Bayne | @bohops |
+|Lasse Trolle Borup | Langkjaer Cyber Defence |
+|Lee Christensen|@tifkin_|
 |Matt Graeber | @mattifestation| 
 |Matt Nelson | @enigma0x3| 
 |Oddvar Moe |@Oddvarmoe|
-|Alex Ionescu | @aionescu|
-|Lee Christensen|@tifkin_|
-|Vladas Bulavas | Kaspersky Lab |
-|Lasse Trolle Borup | Langkjaer Cyber Defence |
-|Jimmy Bayne | @bohops |
 |Philip Tsukerman | @PhilipTsukerman |
-|Brock Mammen| |
+|Vladas Bulavas | Kaspersky Lab |
+|William Easton | @Strawgate |
 
 <br />
 

From ca964f9f6b753c3b075f9500dcaad4cf349b6a70 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 23 Aug 2021 10:08:27 -0700
Subject: [PATCH 3/6] Update microsoft-recommended-block-rules.md

---
 .../microsoft-recommended-block-rules.md                      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 64ac22bc1a..655bd9a6df 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 04/09/2019
+ms.date: 08/23/2021
 ---
 
 # Microsoft recommended block rules
@@ -22,7 +22,7 @@ ms.date: 04/09/2019
 **Applies to:**
 
 - Windows 10
-- Windows Server 2016 and above
+- Windows Server 2016 or later
 
 Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control. 
 

From b7413430cf4da5f59416ef907e948c7669d01d2a Mon Sep 17 00:00:00 2001
From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit>
Date: Mon, 23 Aug 2021 10:17:02 -0700
Subject: [PATCH 4/6] Update microsoft-recommended-block-rules.md

---
 .../microsoft-recommended-block-rules.md           | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 5a7f65e931..b3fcbfaf59 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -71,9 +71,9 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 
 <sup>1</sup> A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
 
-<sup>2</sup> If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+<sup>2</sup> If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end-user device that is not being used in a development context, we recommend that you block msbuild.exe.
 
-<sup>*</sup> Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
+<sup>*</sup> Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
 
 <br />
 
@@ -97,13 +97,9 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 > [!Note]
 > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. 
 
-Certain software applications may allow additional code to run by design. 
-These types of applications should be blocked by your Windows Defender Application Control policy. 
-In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add deny rules to your WDAC policies for that application’s previous, less secure versions. 
+Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions.
 
-Microsoft recommends that you install the latest security updates. 
-The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. 
-These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. 
+Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. 
 
 For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules.
 
@@ -113,7 +109,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
 - msxml6.dll
 - jscript9.dll
 
-Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
+Select the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
 
 ```xml
 <?xml version="1.0" encoding="utf-8" ?> 

From 1cde0e2127c921e6b1aad9929f352c31f801b9e9 Mon Sep 17 00:00:00 2001
From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit>
Date: Mon, 23 Aug 2021 10:18:11 -0700
Subject: [PATCH 5/6] Update microsoft-recommended-block-rules.md

---
 .../microsoft-recommended-block-rules.md      | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index b3fcbfaf59..d223615212 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -79,18 +79,18 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 
 |Name|Twitter|
 |---|---|
-|Alex Ionescu | @aionescu|
-|Brock Mammen| |
-|Casey Smith |@subTee| 
-|Jimmy Bayne | @bohops |
-|Lasse Trolle Borup | Langkjaer Cyber Defence |
-|Lee Christensen|@tifkin_|
-|Matt Graeber | @mattifestation| 
-|Matt Nelson | @enigma0x3| 
-|Oddvar Moe |@Oddvarmoe|
-|Philip Tsukerman | @PhilipTsukerman |
-|Vladas Bulavas | Kaspersky Lab |
-|William Easton | @Strawgate |
+| Alex Ionescu | @aionescu|
+| Brock Mammen| |
+| Casey Smith | @subTee| 
+| Jimmy Bayne | @bohops |
+| Lasse Trolle Borup | Langkjaer Cyber Defence |
+| Lee Christensen| @tifkin_|
+| Matt Graeber | @mattifestation| 
+| Matt Nelson | @enigma0x3| 
+| Oddvar Moe | @Oddvarmoe|
+| Philip Tsukerman | @PhilipTsukerman |
+| Vladas Bulavas | Kaspersky Lab |
+| William Easton | @Strawgate |
 
 <br />
 

From 3bd09d2ae2088f0587efa6c0eb5b7ff35d636d91 Mon Sep 17 00:00:00 2001
From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit>
Date: Mon, 23 Aug 2021 10:21:15 -0700
Subject: [PATCH 6/6] Update microsoft-recommended-block-rules.md

---
 .../microsoft-recommended-block-rules.md      | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index d223615212..1bea88acc3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -79,18 +79,18 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 
 |Name|Twitter|
 |---|---|
-| Alex Ionescu | @aionescu|
-| Brock Mammen| |
-| Casey Smith | @subTee| 
-| Jimmy Bayne | @bohops |
-| Lasse Trolle Borup | Langkjaer Cyber Defence |
-| Lee Christensen| @tifkin_|
-| Matt Graeber | @mattifestation| 
-| Matt Nelson | @enigma0x3| 
-| Oddvar Moe | @Oddvarmoe|
-| Philip Tsukerman | @PhilipTsukerman |
-| Vladas Bulavas | Kaspersky Lab |
-| William Easton | @Strawgate |
+| `Alex Ionescu` | `@aionescu`|
+| `Brock Mammen`| |
+| `Casey Smith` | `@subTee` | 
+| `Jimmy Bayne` | `@bohops` |
+| `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
+| `Lee Christensen` | `@tifkin_` |
+| `Matt Graeber` | `@mattifestation` | 
+| `Matt Nelson` | `@enigma0x3` | 
+| `Oddvar Moe` | `@Oddvarmoe` |
+| `Philip Tsukerman` | `@PhilipTsukerman` |
+| `Vladas Bulavas` | `Kaspersky Lab` |
+| `William Easton` | `@Strawgate` |
 
 <br />