Dnes bych se rád podělil o malý kousek PowerShellu, který pomůže zabezpečit všechny uživatele MS Defender. Pro jeho pohodlné nastavení je potřeba Intune, je to možné také pomocí GPO nebo Local Policy, ale problém je v tom, že jednotlivá ASR pravidla se bez Intune nastavují pomocí GUID hodnot, které se musí do politky vložit z dokumentace.
Níže přikládám jedno z možných řešení, ke kterému mě inspiroval Mgr. Michael Grafnetter MVP, MCT, MCITP svou přednáškou Brána Firewall na DC, kdy můj kód se ani zdaleka neblíží Michaelovým kvalitám, ale i tak může být přínosný. Parametr doporučeno aktivuje ta nastavení, která si myslím, že jsou vhodná pro jednotlivce, malý podnik, školu, nebo středně velký podnik.
param(
[switch]$BlockObfuscate,
[switch]$BlockChiledProcessAdobePDF,
[switch]$BlockChiledProcessOffice,
[switch]$BlockExportLSASS,
[switch]$BlockExecutableFromEmail,
[switch]$BlockUntrustedExecutable,
[switch]$BlockObfuscatedScripts,
[switch]$BlockExecutableFomOffice,
[switch]$BlockWMIpersitenc,
[switch]$BlockCreaProcessWMIandPSexec,
[switch]$BlockUntrustedExecutebleFromUSB,
[switch]$BlockWebShell,
[switch]$TurnOnAdvancedRansomwareProtection,
[switch]$BlockExploitedDriveres,
[switch]$BlockJSorVBSFromDownloaded,
[switch]$BlockWMIObfuscateEvent,
[switch]$BlockRebootInSafeMode,
[switch]$BlockInpersonatedSystemTools,
[switch]$BlockCallWin32FromMacros,
[Switch]$Doporuceno,
[switch]$ResetDeault
)
if($BlockObfuscate -or $Doporuceno){
#Blokace obfuskovaného kódu
Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled
}
if($ResetDeault){
Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids d9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids 5beb7efe-fd9a-4556-801d-275e5ffc04cc -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids d3e037e1-3eb8-44c8-a917-57927947596d -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids 3b576869-a4ec-4529-8536-b80a7769e899 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids c1db55ab-c21a-4637-bb3f-a12568109d35 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids d3e037e1-3eb8-44c8-a917-57927947596d -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids 33ddedf1-c6e0-47cb-833e-de6133960387 -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb -AttackSurfaceReductionRules_Actions NotConfigured
Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions NotConfigured
}
if($BlockChiledProcessAdobePDF -or $Doporuceno){
#Blokace vytváření podřízených procesů pro Adobe PDF reader
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockChiledProcessOffice -or $Doporuceno){
#Blokace vytváření podřízených procesů z Office aplikací
Add-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockExportLSASS -or $Doporuceno){
#Blokace vytvoření otisku paměti procesu LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids d9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockExecutableFromEmail -or $Doporuceno){
#Blokace spustitelného obsahu z emailu
Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockUntrustedExecutable -or $Doporuceno){
#Blokování spouštění spustitelných souborů, pokud nesplňují kritérium prevalence, stáří nebo důvěryhodného seznamu
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockObfuscatedScripts -or $Doporuceno){
#Blokace obfuskovaných skriptů
Add-MpPreference -AttackSurfaceReductionRules_Ids 5beb7efe-fd9a-4556-801d-275e5ffc04cc -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockJSorVBSFromDownloaded -or $Doporuceno){
#Blokování stahování spustitelného obsahu pomocí Javascript a VBscript
Add-MpPreference -AttackSurfaceReductionRules_Ids d3e037e1-3eb8-44c8-a917-57927947596d -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockExecutableFomOffice -or $Doporuceno){
#Blokace vytváření spustitelného obsahu pomocí Office aplikací
Add-MpPreference -AttackSurfaceReductionRules_Ids 3b576869-a4ec-4529-8536-b80a7769e899 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockExecutableFomOffice -or $Doporuceno){
#Blokace vkládání kódu do procesů z Office aplikací
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockChiledProcessOffice -or $Doporuceno){
#Blokování komunikace aplikace Office při vytváření podřízených procesů
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockWMIpersitenc -or $Doporuceno){
#Blokování persistence pomocí WMI
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockCreaProcessWMIandPSexec -or $Doporuceno){
#Blokování vytváření procesů z příkazů PSExec a WMI
Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockUntrustedExecutebleFromUSB -or $Doporuceno){
#Blokování nedůvěryhodného a nepodepsaného spustitelného obsahu na USB médiích
Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockWebShell -or $Doporuceno){
#Blokování vytvoření proscesu webshell
Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockExecutableFomOffice -or $Doporuceno){
#Blokování volání aplikací z Office makra
Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Enabled
}
if($TurnOnAdvancedRansomwareProtection -or $Doporuceno){
#Pokročilá ochrana před Ramsomware
Add-MpPreference -AttackSurfaceReductionRules_Ids c1db55ab-c21a-4637-bb3f-a12568109d35 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockExploitedDriveres -or $Doporuceno){
#Block abuse of exploited vulnerable signed drivers
Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockJSorVBSFromDownloaded -or $Doporuceno){
#Block JavaScript or VBScript from launching downloaded executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids d3e037e1-3eb8-44c8-a917-57927947596d -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockWMIObfuscateEvent -or $BlockWMIpersitenc -or $Doporuceno){
#Block persistence through WMI event subscription
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockRebootInSafeMode){
#Block rebooting machine in Safe Mode
Add-MpPreference -AttackSurfaceReductionRules_Ids 33ddedf1-c6e0-47cb-833e-de6133960387 -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockInpersonatedSystemTools -or $Doporuceno){
#Block use of copied or impersonated system tools
Add-MpPreference -AttackSurfaceReductionRules_Ids c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb -AttackSurfaceReductionRules_Actions Enabled
}
if($BlockCallWin32FromMacros -or $Doporuceno){
#Block Win32 API calls from Office macros
Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Enabled
}