Add check for listing ASR rules (issue #57)

itm4n · Jun 10, 2024 · f106e7b · f106e7b
1 parent 5ca9749
commit f106e7b
Show file tree

Hide file tree

Showing 6 changed files with 182 additions and 48 deletions.
diff --git a/PrivescCheck.ps1 b/PrivescCheck.ps1
diff --git a/info/CHANGELOG.md b/info/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## 2024-06-10
+
+### Added
+
+- List Windows Defender Exploit Guard ASR rules
+
 ## 2024-06-02
 
 ### Removed

diff --git a/release/PrivescCheck.ps1 b/release/PrivescCheck.ps1
diff --git a/src/check/Hardening.ps1 b/src/check/Hardening.ps1
@@ -957,4 +957,37 @@ function Invoke-PowerShellExecutionPolicyCheck {
     end {
         $Result
     }
+}
+
+function Invoke-AttackSurfaceReductionRuleCheck {
+    <#
+    .SYNOPSIS
+    Get information about configured Windows Defender Exploit Guard Attack Surface Reduction (ASR) rules.
+
+    Author: @itm4n
+    License: BSD 3-Clause
+
+    .DESCRIPTION
+    This cmdlet returns a list of enabled ASR rules.
+
+    .EXAMPLE
+    PS C:\> Invoke-AttackSurfaceReductionRuleCheck
+
+    Rule        : Block Office applications from creating executable content
+    Id          : 3b576869-a4ec-4529-8536-b80a7769e899
+    State       : 2
+    Description : Audit
+
+    Rule        : Block Win32 API calls from Office macros
+    Id          : 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
+    State       : 1
+    Description : Block
+    #>
+
+    [CmdletBinding()]
+    param ()
+
+    process {
+        Get-AttackSurfaceReductionRule | Where-Object { ($null -ne $_.State) -and ($_.State -ne 0) }
+    }
 }
diff --git a/src/check/Main.ps1 b/src/check/Main.ps1
@@ -93,6 +93,7 @@ function Invoke-PrivescCheck {
 "HARDEN_UAC",                     "Invoke-UacCheck",                            "TA0008 - Lateral Movement",     "UAC settings",                        "Low",      "List",   "Audit",        "True",       "False", "Check whether User Access Control (UAC) is enabled and whether it filters the access token of local administrator accounts when they authenticate remotely."
 "HARDEN_LSA_PROTECTION",          "Invoke-LsaProtectionCheck",                  "TA0006 - Credential Access",    "LSA Protection",                      "Low",      "List",   "Base",         "True",       "False", "Check whether LSA protection is enabled. Note that when LSA protection is enabled, 'lsass.exe' runs as a Protected Process Light (PPL) and thus can only be accessed by other protected processes with an equivalent or higher protection level."
 "HARDEN_CREDENTIAL_GUARD",        "Invoke-CredentialGuardCheck",                "TA0006 - Credential Access",    "Credential Guard",                    "Low",      "List",   "Base",         "True",       "False", "Check whether Credential Guard is supported and enabled. Note that when Credential Guard is enabled, credentials are stored in an isolated process ('LsaIso.exe') that cannot be accessed, even if the kernel is compromised."
+"HARDEN_ASR_RULES",               "Invoke-AttackSurfaceReductionRuleCheck",     "TA0005 - Defense Evasion",      "Attack Surface Reduction rules",      "None",     "List",   "Extended",     "True",       "False", "Get information about configured Windows Defender Exploit Guard Attack Surface Reduction (ASR) rules."
 "HARDEN_BIOS_MODE",               "Invoke-BiosModeCheck",                       "TA0003 - Persistence",          "UEFI & Secure Boot",                  "Low",      "Table",  "Extended",     "True",       "False", "Check whether UEFI and Secure Boot are supported and enabled. Note that Secure Boot requires UEFI."
 "HARDEN_LAPS",                    "Invoke-LapsCheck",                           "TA0008 - Lateral Movement",     "LAPS",                                "Medium",   "List",   "Base",         "True",       "False", "Check whether LAPS is configured and enabled. Note that this applies to domain-joined machines only."
 "HARDEN_PS_TRANSCRIPT",           "Invoke-PowershellTranscriptionCheck",        "TA0005 - Defense Evasion",      "PowerShell transcription",            "None",     "List",   "Extended",     "True",       "False", "Check whether PowerShell Transcription is configured and enabled."

diff --git a/src/helper/HardeningHelpers.ps1 b/src/helper/HardeningHelpers.ps1
@@ -697,4 +697,98 @@ function Get-EnforcedPowerShellExecutionPolicy {
             break
         }
     }
+}
+
+function Get-AttackSurfaceReductionRule {
+    <#
+    .SYNOPSIS
+    Helper - Get the ASR rules and their values
+
+    Author: @itm4n
+    License: BSD 3-Clause
+
+    .DESCRIPTION
+    This cmdlet returns a list of all existing ASR rules, along with their values in the registry. If a rule is not defined, the 'Data' value is null.
+
+    .EXAMPLE
+    PS C:\> Get-AttackSurfaceReductionRule
+
+    Rule        : Block executable files from running unless they meet a prevalence, age, or trusted list criterion
+    Id          : 01443614-cd74-433a-b99e-2ecdc07bfc25
+    State       :
+    Description : Not configured (disabled)
+
+    Rule        : Block Office applications from creating executable content
+    Id          : 3b576869-a4ec-4529-8536-b80a7769e899
+    State       : 2
+    Description : Audit
+
+    Rule        : Block Webshell creation for Servers
+    Id          : a8f5898e-1dc8-49a9-9878-85004b8a61e6
+    State       :
+    Description : Not configured (disabled)
+
+    .NOTES
+    Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction > Configure Attack Surface Reduction rules
+
+    .LINK
+    https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
+    #>
+
+    [CmdletBinding()]
+    param ()
+
+    begin {
+        $RuleIds = @{
+            [Guid] "56a863a9-875e-4185-98a7-b882c64b5ce5" = "Block abuse of exploited vulnerable signed drivers"
+            [Guid] "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" = "Block Adobe Reader from creating child processes"
+            [Guid] "d4f940ab-401b-4efc-aadc-ad5f3c50688a" = "Block all Office applications from creating child processes"
+            [Guid] "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" = "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"
+            [Guid] "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" = "Block executable content from email client and webmail"
+            [Guid] "01443614-cd74-433a-b99e-2ecdc07bfc25" = "Block executable files from running unless they meet a prevalence, age, or trusted list criterion"
+            [Guid] "5beb7efe-fd9a-4556-801d-275e5ffc04cc" = "Block execution of potentially obfuscated scripts"
+            [Guid] "d3e037e1-3eb8-44c8-a917-57927947596d" = "Block JavaScript or VBScript from launching downloaded executable content"
+            [Guid] "3b576869-a4ec-4529-8536-b80a7769e899" = "Block Office applications from creating executable content"
+            [Guid] "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" = "Block Office applications from injecting code into other processes"
+            [Guid] "26190899-1602-49e8-8b27-eb1d0a1ce869" = "Block Office communication application from creating child processes"
+            [Guid] "e6db77e5-3df2-4cf1-b95a-636979351e5b" = "Block persistence through WMI event subscription"
+            [Guid] "d1e49aac-8f56-4280-b9ba-993a6d77406c" = "Block process creations originating from PSExec and WMI commands"
+            [Guid] "33ddedf1-c6e0-47cb-833e-de6133960387" = "Block rebooting machine in Safe Mode (preview)"
+            [Guid] "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" = "Block untrusted and unsigned processes that run from USB"
+            [Guid] "c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb" = "Block use of copied or impersonated system tools (preview)"
+            [Guid] "a8f5898e-1dc8-49a9-9878-85004b8a61e6" = "Block Webshell creation for Servers"
+            [Guid] "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" = "Block Win32 API calls from Office macros"
+            [Guid] "c1db55ab-c21a-4637-bb3f-a12568109d35" = "Use advanced protection against ransomware"
+        }
+
+        $RegKey = "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
+    }
+
+    process {
+
+        foreach ($RuleId in $RuleIds.GetEnumerator()) {
+
+            $RegValue = $RuleId.Name.ToString()
+            $RegData = (Get-ItemProperty -Path "Registry::$($RegKey)" -Name $RegValue -ErrorAction SilentlyContinue).$RegValue
+
+            switch ($RegData) {
+                $null { $Description = "Not configured (disabled)" }
+                0 { $Description = "Disabled" }
+                1 { $Description = "Block" }
+                2 { $Description = "Audit" }
+                6 { $Description = "Warn" }
+                Default {
+                    $Description = $null
+                    Write-Warning "Unexpected value for ASR rule '$($RegValue)': $($RegData)"
+                }
+            }
+
+            $Rule = New-Object -TypeName PSObject
+            $Rule | Add-Member -MemberType "NoteProperty" -Name "Rule" -Value $RuleId.Value
+            $Rule | Add-Member -MemberType "NoteProperty" -Name "Id" -Value $RuleId.Name
+            $Rule | Add-Member -MemberType "NoteProperty" -Name "State" -Value $RegData
+            $Rule | Add-Member -MemberType "NoteProperty" -Name "Description" -Value $Description
+            $Rule
+        }
+    }
 }