chore: add asr scripts

2025-10-24 12:43:38 +10:00
parent adda1933ba
commit 35591f3e32
2 changed files with 51 additions and 0 deletions
--- a/Disable-ASR.ps1
+++ b/Disable-ASR.ps1
@@ -0,0 +1,25 @@
+# List of all known ASR rule GUIDs
+$ASRRuleIDs = @(
+    "D4F940AB-401B-4EFC-AADC-AD5F3C50688A", # Block executable content from email and webmail
+    "3B576869-A4EC-4529-8536-B80A7769E899", # Use advanced protection against ransomware
+    "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84", # Block credential stealing from LSASS
+    "D3E037E1-3EB8-44C8-A917-57927947596D", # Block Office apps from creating child processes
+    "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84", # Block credential stealing from LSASS
+    "DCB9C6F7-4C50-4E1E-9480-1E76C6E3C5D8", # Block persistence through WMI event subscription
+    "E6DB77E5-3DF2-4CF1-B95A-636979351EDE", # Block process creations originating from PSExec and WMI commands
+    "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC", # Block untrusted and unsigned processes that run from USB
+    "B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4", # Block Office communication application from creating child processes
+    "C1DB55AB-C21A-4637-BB3F-A12568109D35", # Use advanced protection against ransomware
+    "9E6B8E18-3B75-4B1E-AC17-4A72AFAE74B3", # Block credential stealing from LSASS
+    "3B576869-A4EC-4529-8536-B80A7769E899", # Block Office apps from injecting code into other processes
+    "26190899-1602-49e8-8b27-eb1d0a1ce869", # Block JavaScript or VBScript from launching downloaded executable content
+    "D1E49AAC-8F56-4280-B9BA-993A6D77406C", # Block executable files from running unless they meet a prevalence, age, or trusted list criteria
+    "01443614-cd74-433a-b99e-2eccc34a4d34", # Use advanced protection against ransomware
+    "6C6E6E8F-2E3E-4F3C-ABF9-1B0A9A3F0A3C"  # Block credential stealing from LSASS
+)
+foreach ($id in $ASRRuleIDs) {
+    Write-Host "Disabling ASR Rule: $id"
+    Add-MpPreference -AttackSurfaceReductionRules_Ids $id -AttackSurfaceReductionRules_Actions Disabled
+}
+
+Write-Host "❌ All ASR rules have been disabled."
--- a/Enable-ASR.ps1
+++ b/Enable-ASR.ps1
@@ -0,0 +1,26 @@
+# List of all known ASR rule GUIDs
+$ASRRuleIDs = @(
+    "D4F940AB-401B-4EFC-AADC-AD5F3C50688A", # Block executable content from email and webmail
+    "3B576869-A4EC-4529-8536-B80A7769E899", # Use advanced protection against ransomware
+    "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84", # Block credential stealing from LSASS
+    "D3E037E1-3EB8-44C8-A917-57927947596D", # Block Office apps from creating child processes
+    "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84", # Block credential stealing from LSASS
+    "DCB9C6F7-4C50-4E1E-9480-1E76C6E3C5D8", # Block persistence through WMI event subscription
+    "E6DB77E5-3DF2-4CF1-B95A-636979351EDE", # Block process creations originating from PSExec and WMI commands
+    "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC", # Block untrusted and unsigned processes that run from USB
+    "B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4", # Block Office communication application from creating child processes
+    "C1DB55AB-C21A-4637-BB3F-A12568109D35", # Use advanced protection against ransomware
+    "9E6B8E18-3B75-4B1E-AC17-4A72AFAE74B3", # Block credential stealing from LSASS
+    "3B576869-A4EC-4529-8536-B80A7769E899", # Block Office apps from injecting code into other processes
+    "26190899-1602-49e8-8b27-eb1d0a1ce869", # Block JavaScript or VBScript from launching downloaded executable content
+    "D1E49AAC-8F56-4280-B9BA-993A6D77406C", # Block executable files from running unless they meet a prevalence, age, or trusted list criteria
+    "01443614-cd74-433a-b99e-2eccc34a4d34", # Use advanced protection against ransomware
+    "6C6E6E8F-2E3E-4F3C-ABF9-1B0A9A3F0A3C"  # Block credential stealing from LSASS
+)
+
+foreach ($id in $ASRRuleIDs) {
+    Write-Host "Enabling ASR Rule: $id"
+    Add-MpPreference -AttackSurfaceReductionRules_Ids $id -AttackSurfaceReductionRules_Actions Enabled
+}
+
+Write-Host "✅ All ASR rules have been enabled."