Created
December 28, 2022 12:13
-
-
Save mgeeky/e75c4a033cf9f4fb8cf6a12211c4f8da to your computer and use it in GitHub Desktop.
A little script that configures all Microsoft Defender Attack Surface Reduction (ASR) rules at once to a specific state. Example: PS> .\Configure-ASR.ps1 -State Enabled
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -RunAsAdministrator | |
| <# | |
| .SYNOPSIS | |
| Script used to manage state of Microsoft Defender's Attack Surface Redution rules. | |
| Configures all ASR rules into mode defined in -State parameter. | |
| .PARAMETER State | |
| Tells how to configure all ASR rules available. Valid options: | |
| - Disable (Disable the ASR rule) | |
| - Block (Enable the ASR rule) | |
| - Audit (Evaluate how the ASR rule would impact your organization if enabled) | |
| - Warn (Enable the ASR rule but allow the end-user to bypass the block) | |
| .EXAMPLE | |
| Enable all rules: | |
| PS> .\Configure-ASR.ps1 -State Enabled | |
| #> | |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory)] | |
| [ValidateSet("Audit","Enabled","Disabled","Warn")] | |
| $State | |
| ) | |
| $State0 = $State | |
| if ($State0 -eq "Audit") { | |
| $State0 = "AuditMode" | |
| } | |
| # | |
| # Rules reference: | |
| # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix | |
| # | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 5beb7efe-fd9a-4556-801d-275e5ffc04cc -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids d3e037e1-3eb8-44c8-a917-57927947596d -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 3b576869-a4ec-4529-8536-b80a7769e899 -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions $State0 | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids c1db55ab-c21a-4637-bb3f-a12568109d35 -AttackSurfaceReductionRules_Actions $State0 | |
| Write-Host "[+] ASR rules set to $State" -ForegroundColor Green |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment