Public/Get-MpASREventLogs.ps1
|
Function Get-MpASREventLogs { <# .SYNOPSIS Gets Attack Surface Reduction (ASR) and Controlled Folder Access (CFA) event logs. .DESCRIPTION Retrieves ASR and CFA events from the Windows Defender Operational logs, including both audit and block events. The function maps the rule GUIDs to their human-readable names for easier analysis. .EXAMPLE Get-MpASREventLogs .OUTPUTS System.Object[] #> [CmdletBinding()] param() try { # Define ASR rules with their GUIDs $asr_rules = @( @{ Name = "Block abuse of exploited vulnerable signed drivers" GUID = "56a863a9-875e-4185-98a7-b882c64b5ce5" }, @{ Name = "Block Adobe Reader from creating child processes" Guid = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" }, @{ Name = "Block all Office applications from creating child processes" Guid = "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" }, @{ Name = "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" Guid = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" }, @{ Name = "Block executable content from email client and webmail" Guid = "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" }, @{ Name = "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" Guid = "01443614-cd74-433a-b99e-2ecdc07bfc25" }, @{ Name = "Block execution of potentially obfuscated scripts" Guid = "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" }, @{ Name = "Block JavaScript or VBScript from launching downloaded executable content" Guid = "D3E037E1-3EB8-44C8-A917-57927947596D" }, @{ Name = "Block Office applications from creating executable content" Guid = "3B576869-A4EC-4529-8536-B80A7769E899" }, @{ Name = "Block Office applications from injecting code into other processes" Guid = "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84" }, @{ Name = "Block Office communication application from creating child processes" Guid = "26190899-1602-49e8-8b27-eb1d0a1ce869" }, @{ Name = "Block persistence through WMI event subscription" Guid = "e6db77e5-3df2-4cf1-b95a-636979351e5b" }, @{ Name = "Block process creations originating from PSExec and WMI commands" Guid = "d1e49aac-8f56-4280-b9ba-993a6d77406c" }, @{ Name = "Block untrusted and unsigned processes that run from USB" Guid = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" }, @{ Name = "Block Win32 API calls from Office macros" Guid = "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B" }, @{ Name = "Use advanced protection against ransomware" GUID = "c1db55ab-c21a-4637-bb3f-a12568109d35" } ) # Get events and classify them by type $asr = Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' -ErrorAction Stop | Where-Object { $_.ID -like "112?" } | Select-Object TimeCreated, @{ Name = 'ActionType' Expression = { switch ($_.Id) { 1121 { 'ASR Block' } 1122 { 'ASR Audit' } 1123 { 'CFA Block' } 1127 { 'CFA Block' } 1124 { 'CFA Audit' } 1128 { 'CFA Audit' } default { 'Unknown' } } } }, @{Name = 'RuleName'; Expression={''}}, Message # Map GUIDs to rule names foreach($asr_detect in $asr) { if($asr_detect.Message -match "ID: (.+)") { $asr_guid = $Matches[1] $rule = $asr_rules | Where-Object { $_.GUID.Substring(0,16) -eq $asr_guid.Substring(0,16) } if ($rule) { $asr_detect.RuleName = $rule.Name } else { $asr_detect.RuleName = "Unknown" } } } return $asr } catch { Write-Error "An error occurred while retrieving ASR event logs: $_" return $null } } |