DefenderASR.psm1
|
#region Attack surface reduction rules $script:rules = New-Object System.Collections.Specialized.OrderedDictionary [PSCustomObject]@{ ID = 0; Name = "Block executable content from email client and webmail"; GUID = "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 1; Name = "Block all Office applications from creating child processes"; GUID = "D4F940AB-401B-4EFC-AADC-AD5F3C50688A".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 2; Name = "Block Office applications from creating executable content"; GUID = "3B576869-A4EC-4529-8536-B80A7769E899".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 3; Name = "Block Office applications from injecting code into other processes"; GUID = "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 4; Name = "Block JavaScript or VBScript from launching downloaded executable content"; GUID = "D3E037E1-3EB8-44C8-A917-57927947596D".ToLower(); IsExclusionSupported = $false } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 5; Name = "Block execution of potentially obfuscated scripts"; GUID = "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 6; Name = "Block Win32 API calls from Office macro"; GUID = "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 7; Name = "Block executable files from running unless they meet a prevalence, age, or trusted list criterion"; GUID = "01443614-cd74-433a-b99e-2ecdc07bfc25".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 8; Name = "Use advanced protection against ransomware"; GUID = "c1db55ab-c21a-4637-bb3f-a12568109d35".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 9; Name = "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"; GUID = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 10; Name = "Block process creations originating from PSExec and WMI commands"; GUID = "d1e49aac-8f56-4280-b9ba-993a6d77406c".ToLower(); IsExclusionSupported = $false } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 11; Name = "Block untrusted and unsigned processes that run from USB"; GUID = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 12; Name = "Block Office communication application from creating child processes"; GUID = "26190899-1602-49e8-8b27-eb1d0a1ce869".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 13; Name = "Block Adobe Reader from creating child processes"; GUID = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c".ToLower(); IsExclusionSupported = $true } | ForEach-Object { $rules.Add($_.GUID, $_) } [PSCustomObject]@{ ID = 14; Name = "Block persistence through WMI event subscription"; GUID = "e6db77e5-3df2-4cf1-b95a-636979351e5b".ToLower(); IsExclusionSupported = $false } | ForEach-Object { $rules.Add($_.GUID, $_) } #endregion Attack surface reduction rules #region ASR States $script:states = New-Object System.Collections.Specialized.OrderedDictionary $states.Add("0",[PSCustomObject]@{"Id" = 0; "Name" = "Disable"}) $states.Add("1",[PSCustomObject]@{"Id" = 1; "Name" = "Block"}) $states.Add("2",[PSCustomObject]@{"Id" = 2; "Name" = "Audit"}) #endregion ASR States $scriptPath = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition) . "$scriptPath\Lib\function-Get-DefenderAsrRule.ps1" . "$scriptPath\Lib\function-Show-DefenderAsrRule.ps1" . "$scriptPath\Lib\function-Backup-DefenderAsrSetting.ps1" # Export-ModuleMember -Alias "List-DefenderAsrRules" |