-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathEnable-ExploitGuard-AttackSurfaceReduction.ps1
111 lines (83 loc) · 5.9 KB
/
Enable-ExploitGuard-AttackSurfaceReduction.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# Gunnar Haslinger, 05.05.2018
# Michael B. Heltne, 09.13.2024
# Windows Defender Exploit-Guard Attack-Surface-Reduction Configuration
# Doc Description of Rules:
# https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
# https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
# Doc HowTo enable: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
# Doc Exclusions: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction
# Modes: 0 = Disabled, 1 = Enabled, 2 = AuditMode, 6 = Warn
$ASRMode = @("Disabled", "Enabled", "AuditMode", "Warn");
# The new configuration to set
$ASRconfig = @(
[PSCustomObject] @{ GUID = "56a863a9-875e-4185-98a7-b882c64b5ce5";
Description = "Block abuse of exploited vulnerable signed drivers";
Mode = 1; }
[PSCustomObject] @{ GUID = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c";
Description = "Block Adobe Reader from creating child processes";
Mode = 1; }
[PSCustomObject] @{ GUID = "D4F940AB-401B-4EFC-AADC-AD5F3C50688A";
Description = "Block all Office applications from creating child processes";
Mode = 1; }
[PSCustomObject] @{ GUID = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2";
Description = "Block credential stealing from the Windows local security authority subsystem (lsass.exe)";
Mode = 1; }
[PSCustomObject] @{ GUID = "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550";
Description = "Block executable content from email client and webmail";
Mode = 1; }
[PSCustomObject] @{ GUID = " 5beb7efe-fd9a-4556-801d-275e5ffc04cc";
Description = "Block execution of potentially obfuscated scripts";
Mode = 1; }
[PSCustomObject] @{ GUID = "d3e037e1-3eb8-44c8-a917-57927947596d";
Description = "Block JavaScript or VBScript from launching downloaded executable content";
Mode = 1; }
[PSCustomObject] @{ GUID = "3b576869-a4ec-4529-8536-b80a7769e899";
Description = "Block Office applications from creating executable content";
Mode = 1; }
[PSCustomObject] @{ GUID = "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84";
Description = "Block Office applications from injecting code into other processes";
Mode = 1; }
[PSCustomObject] @{ GUID = "26190899-1602-49e8-8b27-eb1d0a1ce869";
Description = "Block Office communication application from creating child processe";
Mode = 1; }
[PSCustomObject] @{ GUID = "e6db77e5-3df2-4cf1-b95a-636979351e5b";
Description = "Block persistence through WMI event subscription";
Mode = 1; }
[PSCustomObject] @{ GUID = "d1e49aac-8f56-4280-b9ba-993a6d77406c";
Description = "Block process creations originating from PSExec and WMI commands";
Mode = 1; }
[PSCustomObject] @{ GUID = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4";
Description = "Block untrusted and unsigned processes that run from USB";
Mode = 1; }
[PSCustomObject] @{ GUID = "c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb"
Description = "[PREVIEW] Block use of copied or impersonated system tools";
Mode = 1; }
[PSCustomObject] @{ GUID = "a8f5898e-1dc8-49a9-9878-85004b8a61e6"
Description = "Block Webshell creation for Servers";
Mode = 1; }
[PSCustomObject] @{ GUID = "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B";
Description = "Block Win32 API calls from Office macro";
Mode = 1; }
# ask? do some testing with this - "You must enable cloud-delivered protection to use this rule."
# [PSCustomObject] @{ GUID = "01443614-cd74-433a-b99e-2ecdc07bfc25";
# Description = "Block executable files from running unless they meet a prevalence, age, or trusted list criteria";
# Mode = 0; }
# Note: You must enable cloud-delivered protection to use this rule.
# [PSCustomObject] @{ GUID = "c1db55ab-c21a-4637-bb3f-a12568109d35";
# Description = "Use advanced protection against ransomware";
# Mode = 0; }
$ASRconfig | foreach { $_.Mode = $ASRMode[$_.Mode] }
Write-Host "Checking current System Configuration for configured Attack surface reduction rules (and comparing to new desired Mode):"
$ASRstate = new-object system.collections.arraylist
$myConfig = Get-MpPreference;
for ($i=0; $i -lt $myConfig.AttackSurfaceReductionRules_Ids.count; $i++) {
$new = $ASRstate.Add([PSCustomObject] @{
GUID = $myConfig.AttackSurfaceReductionRules_Ids[$i];
Description = ($ASRconfig | Where {$_.GUID -like $myConfig.AttackSurfaceReductionRules_Ids[$i]}).Description;
CurrentMode = $ASRMode[$myConfig.AttackSurfaceReductionRules_Actions[$i]];
DesiredMode = ($ASRconfig | Where {$_.GUID -like $myConfig.AttackSurfaceReductionRules_Ids[$i]}).Mode; })
}
$ASRstate | Format-Table
Write-Host "Enabling Windows Defender Exploit Guard Attack surface reduction rules"
$ASRConfig | Format-Table
$ASRconfig | foreach { Add-MpPreference -AttackSurfaceReductionRules_Ids $_.GUID -AttackSurfaceReductionRules_Actions $_.Mode }