Enable-ExploitGuard-AttackSurfaceReduction.ps1

# Gunnar Haslinger, 05.05.2018
# Windows Defender Exploit-Guard Attack-Surface-Reduction Configuration

# Doc Description of Rules: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
# Doc HowTo enable: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
# Doc Exclusions: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction


# Modes: 0 = Disabled, 1 = Enabled, 2 = AuditMode
$ASRMode = @("Disabled", "Enabled", "AuditMode"); 

# The new configuration to set
$ASRconfig = @(
    [PSCustomObject] @{ GUID = "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550";
                        Description = "Block executable content from email client and webmail";
                        Mode = 1; }

    [PSCustomObject] @{ GUID = "D4F940AB-401B-4EFC-AADC-AD5F3C50688A";
                        Description = "Block Office applications from creating child processes";
                        Mode = 1; }

    [PSCustomObject] @{ GUID = "3B576869-A4EC-4529-8536-B80A7769E899";
                        Description = "Block Office applications from creating executable content";
                        Mode = 1; }
	
    [PSCustomObject] @{ GUID = "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84";
                        Description = "Block Office applications from injecting code into other processes";
                        Mode = 1; }
	
    [PSCustomObject] @{ GUID = "D3E037E1-3EB8-44C8-A917-57927947596D";
                        Description = "Block JavaScript or VBScript from launching downloaded executable content";
                        Mode = 1; }
	
    [PSCustomObject] @{ GUID = "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC";
                        Description = "Block execution of potentially obfuscated scripts";
                        Mode = 1; }

    [PSCustomObject] @{ GUID = "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B";
                        Description = "Block Win32 API calls from Office macro";
                        Mode = 1; }
	
    [PSCustomObject] @{ GUID = "01443614-cd74-433a-b99e-2ecdc07bfc25";
                        Description = "Block executable files from running unless they meet a prevalence, age, or trusted list criteria";
                        Mode = 0; }
	
    [PSCustomObject] @{ GUID = "c1db55ab-c21a-4637-bb3f-a12568109d35";
                        Description = "Use advanced protection against ransomware";
                        Mode = 0; }

    [PSCustomObject] @{ GUID = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2";
                        Description = "Block credential stealing from the Windows local security authority subsystem (lsass.exe)";
                        Mode = 0; }	
	
    [PSCustomObject] @{ GUID = "d1e49aac-8f56-4280-b9ba-993a6d77406c";
                        Description = "Block process creations originating from PSExec and WMI commands";
                        Mode = 2; }	

    [PSCustomObject] @{ GUID = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4";
                        Description = "Block untrusted and unsigned processes that run from USB";
                        Mode = 2; }	
)
	
$ASRconfig | foreach { $_.Mode = $ASRMode[$_.Mode] }


Write-Host "Checking current System Configuration for configured Attack surface reduction rules (and comparing to new desired Mode):"
$ASRstate = new-object system.collections.arraylist
$myConfig = Get-MpPreference; 
for ($i=0; $i -lt $myConfig.AttackSurfaceReductionRules_Ids.count; $i++) {
    $new = $ASRstate.Add([PSCustomObject] @{ 
                            GUID = $myConfig.AttackSurfaceReductionRules_Ids[$i]; 
                            Description = ($ASRconfig | Where {$_.GUID -like $myConfig.AttackSurfaceReductionRules_Ids[$i]}).Description; 
                            CurrentMode = $ASRMode[$myConfig.AttackSurfaceReductionRules_Actions[$i]]; 
                            DesiredMode = ($ASRconfig | Where {$_.GUID -like $myConfig.AttackSurfaceReductionRules_Ids[$i]}).Mode; })
}
$ASRstate | Format-Table

Write-Host "Enabling Windows Defender Exploit Guard Attack surface reduction rules"
$ASRConfig | Format-Table

$ASRconfig | foreach { Add-MpPreference -AttackSurfaceReductionRules_Ids $_.GUID -AttackSurfaceReductionRules_Actions $_.Mode }