mirror of
https://github.com/NexusOne23/noid-privacy.git
synced 2026-02-07 12:11:53 +01:00
v2.2.0 - Complete Security Hardening Framework (632 Settings)
This commit is contained in:
NexusOne23
commit
ba364813ed
195 changed files with 43788 additions and 0 deletions
131
Modules/ASR/Private/Set-ASRViaPowerShell.ps1
Normal file
131
Modules/ASR/Private/Set-ASRViaPowerShell.ps1
Normal file
|
|
@ -0,0 +1,131 @@
|
|||
<#
|
||||
.SYNOPSIS
|
||||
Apply ASR rules using Set-MpPreference (PowerShell)
|
||||
|
||||
.DESCRIPTION
|
||||
Uses Microsoft's recommended PowerShell cmdlet to apply ASR rules
|
||||
Cleaner and more validated than direct registry manipulation
|
||||
|
||||
.PARAMETER Rules
|
||||
Array of rule objects to apply
|
||||
|
||||
.PARAMETER DryRun
|
||||
Preview changes without applying
|
||||
|
||||
.OUTPUTS
|
||||
PSCustomObject with applied count and errors
|
||||
#>
|
||||
|
||||
function Set-ASRViaPowerShell {
|
||||
[CmdletBinding()]
|
||||
param(
|
||||
[Parameter(Mandatory = $true)]
|
||||
[Array]$Rules,
|
||||
|
||||
[Parameter(Mandatory = $false)]
|
||||
[switch]$DryRun
|
||||
)
|
||||
|
||||
$result = [PSCustomObject]@{
|
||||
Applied = 0
|
||||
Errors = @()
|
||||
Warnings = @()
|
||||
}
|
||||
|
||||
try {
|
||||
# Build arrays for Set-MpPreference
|
||||
$ruleIds = @()
|
||||
$ruleActions = @()
|
||||
|
||||
foreach ($rule in $Rules) {
|
||||
$ruleIds += $rule.GUID
|
||||
$ruleActions += $rule.Action
|
||||
}
|
||||
|
||||
if ($DryRun) {
|
||||
Write-Log -Level INFO -Message "[DRYRUN] Would apply $($ruleIds.Count) ASR rules via Set-MpPreference" -Module "ASR"
|
||||
$result.Applied = $ruleIds.Count
|
||||
return $result
|
||||
}
|
||||
|
||||
Write-Log -Level INFO -Message "Applying $($ruleIds.Count) ASR rules via Set-MpPreference..." -Module "ASR"
|
||||
|
||||
# Apply all rules at once
|
||||
Set-MpPreference -AttackSurfaceReductionRules_Ids $ruleIds `
|
||||
-AttackSurfaceReductionRules_Actions $ruleActions `
|
||||
-ErrorAction Stop | Out-Null
|
||||
|
||||
$result.Applied = $ruleIds.Count
|
||||
|
||||
# WORKAROUND: GPO Registry has higher priority than Set-MpPreference
|
||||
# We must set BOTH Set-MpPreference AND GPO Registry to ensure the rule is actually applied
|
||||
# This applies to user-configurable rules (PSExec/WMI and Prevalence)
|
||||
$asrRegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
||||
|
||||
# User-configurable rules that need GPO Registry sync
|
||||
$userConfigurableRules = @(
|
||||
"d1e49aac-8f56-4280-b9ba-993a6d77406c", # PSExec/WMI (Management Tools)
|
||||
"01443614-cd74-433a-b99e-2ecdc07bfc25" # Prevalence (New/Unknown Software)
|
||||
)
|
||||
|
||||
foreach ($rule in $Rules) {
|
||||
# For user-configurable rules: Always sync to GPO Registry (Block OR Audit)
|
||||
if ($userConfigurableRules -contains $rule.GUID) {
|
||||
try {
|
||||
$currentValue = Get-ItemProperty -Path $asrRegistryPath -Name $rule.GUID -ErrorAction SilentlyContinue
|
||||
$needsUpdate = $false
|
||||
|
||||
if ($currentValue) {
|
||||
# Registry exists - check if value differs
|
||||
if ([int]$currentValue.($rule.GUID) -ne $rule.Action) {
|
||||
$needsUpdate = $true
|
||||
}
|
||||
} else {
|
||||
# Registry doesn't exist - need to create it
|
||||
$needsUpdate = $true
|
||||
}
|
||||
|
||||
if ($needsUpdate) {
|
||||
# Ensure path exists
|
||||
if (-not (Test-Path $asrRegistryPath)) {
|
||||
New-Item -Path $asrRegistryPath -Force | Out-Null
|
||||
}
|
||||
|
||||
# Set the registry value (using string type like Security Baseline does)
|
||||
Set-ItemProperty -Path $asrRegistryPath -Name $rule.GUID -Value $rule.Action.ToString() -Type String -Force -ErrorAction Stop | Out-Null
|
||||
|
||||
$modeName = switch ($rule.Action) { 1 { "Block" } 2 { "Audit" } default { "Unknown" } }
|
||||
Write-Log -Level INFO -Message "Synced $($rule.Name) to GPO Registry: $modeName mode" -Module "ASR"
|
||||
}
|
||||
}
|
||||
catch {
|
||||
$result.Warnings += "Could not sync rule $($rule.Name) to GPO registry: $($_.Exception.Message)"
|
||||
Write-Log -Level WARNING -Message "Could not sync $($rule.Name) to GPO registry: $($_.Exception.Message)" -Module "ASR"
|
||||
}
|
||||
}
|
||||
# For non-configurable rules: Only override if user wants Block and Baseline had Audit
|
||||
elseif ($rule.Action -eq 1 -and $rule.BaselineStatus -eq "Audit") {
|
||||
try {
|
||||
$currentValue = Get-ItemProperty -Path $asrRegistryPath -Name $rule.GUID -ErrorAction SilentlyContinue
|
||||
|
||||
if ($currentValue -and [int]$currentValue.($rule.GUID) -ne 1) {
|
||||
Set-ItemProperty -Path $asrRegistryPath -Name $rule.GUID -Value "1" -Type String -Force -ErrorAction Stop | Out-Null
|
||||
Write-Log -Level INFO -Message "Force-applied $($rule.Name) to Block mode via registry (was Audit from Baseline)" -Module "ASR"
|
||||
}
|
||||
}
|
||||
catch {
|
||||
$result.Warnings += "Could not force-apply rule $($rule.Name) via registry: $($_.Exception.Message)"
|
||||
Write-Log -Level WARNING -Message "Could not force-apply $($rule.Name) via registry: $($_.Exception.Message)" -Module "ASR"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Write-Log -Level INFO -Message "Successfully applied $($ruleIds.Count) ASR rules" -Module "ASR"
|
||||
}
|
||||
catch {
|
||||
$result.Errors += "Failed to apply ASR rules: $($_.Exception.Message)"
|
||||
Write-Log -Level ERROR -Message "Set-MpPreference failed: $($_.Exception.Message)" -Module "ASR"
|
||||
}
|
||||
|
||||
return $result
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue