Windows-Defender-Exploit-Guard-Configuration

Windows Defender Exploit-Guard Configuration

This Script provides:

Configure Windows Defender Exploit-Guard by using PowerShell
Reset all ProcessMitigations to get a clean (unconfigured) state
Import clean Default-Configuration shipped with the OS
Import clean recommended Baseline Configuration
Configure Attack Surface Reduction and check actual Configuration of ASR

What’s the Problem?

Windows 10 v1709 (RS3) includes Windows Defender ExploitGuard (Windows Defender EG), the successor of EMET. There are two powershell commandlets Get-ProcessMitigation and Set-ProcessMitigation for Configuring the Exploit-Guard Configuration by using scripts, but currently in Windows 10 v1709 (RS3) there are following bugs and a lack of functionality:

Get-ProcessMitigation commandlet does not list these executables configured by full-path, only lists those which are defined by plain executable-names without path
Set-ProcessMitigation commandlet has no functionality to delete a configured process-mitigation or to delete all configured per-process-mitigations like the EMET-Commandline-Tool EMET_Conf --delete <path to executable> or EMET_Conf --delete_apps or EMET_Conf --delete_all provided
Additionaly in the current (tested 26.01.2018) InsiderBuild of Win10 RS4 (v1803) there is a default process-mitigation for CameraBarcodeScannerPreview.exe with Registry-Permissions only for TrustedInstaller (SYSTEM or Administrator have no rights to modify these, this leads to Exceptions / Errors)

The Solution:

PowerShell-Script Remove-all-ProcessMitigations.ps1

Removes all currently configured ProcessMitigations
Can handle such ProcessMitigations that are configured by plain Executable-Names like notepad.exe as well as full-path Configurations like C:\Windows\system32\notepad.exe
Can handle Configurations which are unmodifyable by Administrators because ACLs are set to TrustedInstaller by Taking Ownership and resetting the ACLs to defaults (Inherited ACLs)

Demonstration of the Output:

PS C:\Temp> .\Remove-all-ProcessMitigations.ps1

Removing MitigationOptions for:       AcroRd32.exe
Removing MitigationAuditOptions for:  AcroRd32.exe
Removing MitigationOptions for:       AcroRd32Info.exe
Removing MitigationAuditOptions for:  AcroRd32Info.exe
Removing MitigationOptions for:       iexplore.exe
Removing MitigationAuditOptions for:  iexplore.exe
Removing FullPathEntry:               notepad.exe - C:\Windows\SysWOW64\notepad.exe
Removing FullPathEntry:               notepad.exe - C:\Windows\notepad.exe
Removing FullPathEntry:               notepad.exe - C:\Windows\System32\notepad.exe
Removing empty Entry:                 notepad.exe
Removing MitigationOptions for:       PresentationHost.exe
Removing MitigationAuditOptions for:  PresentationHost.exe
Removing empty Entry:                 PresentationHost.exe
...

PowerShell-Script Windows10_ExploitGuard-Config.ps1

uses Remove-all-ProcessMitigations.ps1 to remove the Configuration
Sets the System-Configuration of Exploit-Guard to default
Imports the Exploit-Guard Default-Settings of Windows 10 v1703 which are provided by Windows10-v1709_ExploitGuard-DefaultSettings.xml
Imports the recommended Baseline-Settings for Windows 10 v1703 which are provided by Windows10-v1709_ExploitGuard-Security-Baseline.xml

Source of the XML-Files

Windows10-v1709_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1709 Machine
Windows10-v1803_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1803 Machine
Windows10-v1809_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1809 Machine
Windows10-v1903_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1903 Machine
Windows10-v1909_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1909 Machine (but no Changes to v1903)
Windows10-v1709_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1709 Baseline
Windows10-v1803_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1803 Baseline
Windows10-v1809_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1809 Baseline
Windows10-v1903_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1903 Baseline
Windows10-v1909_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1909 Baseline
Windows10-v2004_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v2004 Baseline
Windows10-v2009_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v20H2 Baseline
Windows10-v2104_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v21H1 Baseline
Security Baselines and Exploit-Guard Default-Settings of Windows 10 v1909, v2004, v20H2 seem to be identically (no difference)

Further Information

See my Blog-Post (in German Language)

WD - Exploit Guard - Attack Surface Reduction Rules

Enable-ExploitGuard-AttackSurfaceReduction.ps1 - Script for Configuring ASR
Further Information on this See my Blog-Post (in German Language)
Demo-Output: ``` Checking current System Configuration for configured Attack surface reduction rules (and comparing to new desired Mode):

GUID Description CurrentMode DesiredMode —- ———– ———– ———– 01443614-cd74-433a-b99e-2ecdc07bfc25 Block executable files from running unless they meet a prevalence, age, or trusted list criteria Disabled Disabled 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from creating executable content Enabled Enabled 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block execution of potentially obfuscated scripts Enabled Enabled 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office applications from injecting code into other processes Enabled Enabled 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from Office macro Enabled Enabled 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe) Disabled Disabled b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB AuditMode AuditMode BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email client and webmail Enabled Enabled c1db55ab-c21a-4637-bb3f-a12568109d35 Use advanced protection against ransomware Disabled Disabled d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands AuditMode AuditMode D3E037E1-3EB8-44C8-A917-57927947596D Block JavaScript or VBScript from launching downloaded executable content Enabled Enabled D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating child processes Enabled Enabled

Enabling Windows Defender Exploit Guard Attack surface reduction rules

GUID Description Mode —- ———– —- BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email client and webmail Enabled D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating child processes Enabled 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from creating executable content Enabled 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office applications from injecting code into other processes Enabled D3E037E1-3EB8-44C8-A917-57927947596D Block JavaScript or VBScript from launching downloaded executable content Enabled 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block execution of potentially obfuscated scripts Enabled 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from Office macro Enabled 01443614-cd74-433a-b99e-2ecdc07bfc25 Block executable files from running unless they meet a prevalence, age, or trusted list criteria Disabled c1db55ab-c21a-4637-bb3f-a12568109d35 Use advanced protection against ransomware Disabled 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe) Disabled d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands AuditMode b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB AuditMode ```