Skip to content
/ PrimusASR Public

PrimusASR is a helper script that i created in order to find ASR exclusions as low privilege user on a Windows endpoint.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Primusinterp/PrimusASR

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
PrimusASR.ps1
PrimusASR.ps1
 
 
README.md
README.md
 
 

Repository files navigation

PrimusASR

PrimusASR is a helper script that i created in order to find ASR exclusions as low privilege user on a Windows endpoint. It parses the Windows Defender event logs for Event ID 5007 and extracts the ASR rules and their configuration state, along with any discovered exclusions. This method allows for an easy way of bypassing ASR rules such as 01443614-cd74-433a-b99e-2ecdc07bfc25 - Block executable files from running unless they meet a prevalence, age, or trusted list criteria. For further details about this method and other methods of bypassing this ASR rule, please check out my blog post here.

Usage

.\PrimusASR.ps1

Output

The output is a table of the ASR rules and their configuration state along with any indentified Windows Defender or ASR exlusions.

image

Disclaimer

This tool is designed for legitimate security testing and research purposes only. Users are responsible for ensuring compliance with applicable laws and regulations. The authors are not responsible for any misuse of this software.

About

PrimusASR is a helper script that i created in order to find ASR exclusions as low privilege user on a Windows endpoint.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages