Last active
February 22, 2025 21:50
-
-
Save kyhwana/daea81510a8153710efa92e74910fae3 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This gist will set ALL (except blook rebooting in safemode) the attack surface reduction (ASR) rules as per https://learn.microsoft.com/en-us/defender-endpoint/enable-attack-surface-reduction | |
| Set-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,d4f940ab-401b-4efc-aadc-ad5f3c50688a,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,01443614-cd74-433a-b99e-2ecdc07bfc25,5beb7efe-fd9a-4556-801d-275e5ffc04cc,d3e037e1-3eb8-44c8-a917-57927947596d,3b576869-a4ec-4529-8536-b80a7769e899,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,26190899-1602-49e8-8b27-eb1d0a1ce869,e6db77e5-3df2-4cf1-b95a-636979351e5b,d1e49aac-8f56-4280-b9ba-993a6d77406c,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb,a8f5898e-1dc8-49a9-9878-85004b8a61e6,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,c1db55ab-c21a-4637-bb3f-a12568109d35, 33ddedf1-c6e0-47cb-833e-de6133960387 -AttackSurfaceReductionRules_Actions Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled,Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled,Enabled, Enabled, Enabled, Enabled, Disabled#1803 new rules: | |
| #Set-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25,c1db55ab-c21a-4637-bb3f-a12568109d35,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,d1e49aac-8f56-4280-b9ba-993a6d77406c,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled, Enabled, Enabled, Enabled, Enabled | |
| #Anti-PUA rule: | |
| Set-MpPreference -PUAProtection Enabled | |
| See https://learn.microsoft.com/en-us/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus |
Author
Author
As per: https://twitter.com/jepayneMSFT/status/991462793323790336?s=20 these are not actually active in 1803.
Win10 1803 (April 2018) has five new ASR rules:
Block executable files from running unless they meet a prevalence, age, or trusted list criteria
Use advanced protection against ransomware
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block process creations originating from PSExec and WMI commands
Block untrusted and unsigned processes that run from USB
There is also anti-PUA rules which don't seem to be set by default? Added this.
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To disable, change Enabled to Disabled. (AttackSurfaceReductionRules_Actions is in order of AttackSurfaceReudctionRules_Ids)
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 is most likely to be problematic, this should block executable content from email client and webmail.
See https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
(This probably needs to be run as administrator)