mmckinnon/LAB
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: update guid for asr rules

Browse Source
This commit is contained in:
Matthew McKinnon
2025-10-24 19:56:43 +10:00
parent 35591f3e32
commit 6d55a3f05d
2 changed files with 28 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
Disable-ASR.ps1
View File

@@ -1,21 +1,24 @@
# List of all known ASR rule GUIDs
$ASRRuleIDs = @(
"56a863a9-875e-4185-98a7-b882c64b5ce5", # Block abuse of exploited vulnerable signed drivers
"7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c", # Block Adobe Reader from creating child processes
"D4F940AB-401B-4EFC-AADC-AD5F3C50688A", # Block executable content from email and webmail
"9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2", # Block credential stealing from LSASS
"be9ba2d9-53ea-4cdc-84e5-9b1eeee46550", # Block executable content from email client and webmail
"01443614-cd74-433a-b99e-2eccc34a4d34", # Use advanced protection against ransomware
"5BEB7EFE-FD9A-4556-801D-275E5FFC04CC", # Block untrusted and unsigned processes that run from USB
"D3E037E1-3EB8-44C8-A917-57927947596D", # Block Office apps from creating child processes
"3B576869-A4EC-4529-8536-B80A7769E899", # Use advanced protection against ransomware
"75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84", # Block credential stealing from LSASS
"D3E037E1-3EB8-44C8-A917-57927947596D", # Block Office apps from creating child processes
"75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84", # Block credential stealing from LSASS
"DCB9C6F7-4C50-4E1E-9480-1E76C6E3C5D8", # Block persistence through WMI event subscription
"E6DB77E5-3DF2-4CF1-B95A-636979351EDE", # Block process creations originating from PSExec and WMI commands
"5BEB7EFE-FD9A-4556-801D-275E5FFC04CC", # Block untrusted and unsigned processes that run from USB
"B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4", # Block Office communication application from creating child processes
"C1DB55AB-C21A-4637-BB3F-A12568109D35", # Use advanced protection against ransomware
"9E6B8E18-3B75-4B1E-AC17-4A72AFAE74B3", # Block credential stealing from LSASS
"3B576869-A4EC-4529-8536-B80A7769E899", # Block Office apps from injecting code into other processes
"26190899-1602-49e8-8b27-eb1d0a1ce869", # Block JavaScript or VBScript from launching downloaded executable content
"E6DB77E5-3DF2-4CF1-B95A-636979351EDE", # Block process creations originating from PSExec and WMI commands
"D1E49AAC-8F56-4280-B9BA-993A6D77406C", # Block executable files from running unless they meet a prevalence, age, or trusted list criteria
"01443614-cd74-433a-b99e-2eccc34a4d34", # Use advanced protection against ransomware
"6C6E6E8F-2E3E-4F3C-ABF9-1B0A9A3F0A3C" # Block credential stealing from LSASS
"33ddedf1-c6e0-47cb-833e-de6133960387", # Block rebooting machine in Safe Mode
"B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4", # Block Office communication application from creating child processes
"c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb", # Block use of copied or impersonated system tools
"a8f5898e-1dc8-49a9-9878-85004b8a61e6", # Block Webshell creation for Servers
"92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b", # Block Win32 API calls from Office macros
"C1DB55AB-C21A-4637-BB3F-A12568109D35" # Use advanced protection against ransomware
)
foreach ($id in $ASRRuleIDs) {
Write-Host "Disabling ASR Rule: $id"

25
Enable-ASR.ps1
View File

@@ -1,21 +1,24 @@
# List of all known ASR rule GUIDs
$ASRRuleIDs = @(
"56a863a9-875e-4185-98a7-b882c64b5ce5", # Block abuse of exploited vulnerable signed drivers
"7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c", # Block Adobe Reader from creating child processes
"D4F940AB-401B-4EFC-AADC-AD5F3C50688A", # Block executable content from email and webmail
"9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2", # Block credential stealing from LSASS
"be9ba2d9-53ea-4cdc-84e5-9b1eeee46550", # Block executable content from email client and webmail
"01443614-cd74-433a-b99e-2eccc34a4d34", # Use advanced protection against ransomware
"5BEB7EFE-FD9A-4556-801D-275E5FFC04CC", # Block untrusted and unsigned processes that run from USB
"D3E037E1-3EB8-44C8-A917-57927947596D", # Block Office apps from creating child processes
"3B576869-A4EC-4529-8536-B80A7769E899", # Use advanced protection against ransomware
"75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84", # Block credential stealing from LSASS
"D3E037E1-3EB8-44C8-A917-57927947596D", # Block Office apps from creating child processes
"75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84", # Block credential stealing from LSASS
"DCB9C6F7-4C50-4E1E-9480-1E76C6E3C5D8", # Block persistence through WMI event subscription
"E6DB77E5-3DF2-4CF1-B95A-636979351EDE", # Block process creations originating from PSExec and WMI commands
"5BEB7EFE-FD9A-4556-801D-275E5FFC04CC", # Block untrusted and unsigned processes that run from USB
"B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4", # Block Office communication application from creating child processes
"C1DB55AB-C21A-4637-BB3F-A12568109D35", # Use advanced protection against ransomware
"9E6B8E18-3B75-4B1E-AC17-4A72AFAE74B3", # Block credential stealing from LSASS
"3B576869-A4EC-4529-8536-B80A7769E899", # Block Office apps from injecting code into other processes
"26190899-1602-49e8-8b27-eb1d0a1ce869", # Block JavaScript or VBScript from launching downloaded executable content
"E6DB77E5-3DF2-4CF1-B95A-636979351EDE", # Block process creations originating from PSExec and WMI commands
"D1E49AAC-8F56-4280-B9BA-993A6D77406C", # Block executable files from running unless they meet a prevalence, age, or trusted list criteria
"01443614-cd74-433a-b99e-2eccc34a4d34", # Use advanced protection against ransomware
"6C6E6E8F-2E3E-4F3C-ABF9-1B0A9A3F0A3C" # Block credential stealing from LSASS
"33ddedf1-c6e0-47cb-833e-de6133960387", # Block rebooting machine in Safe Mode
"B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4", # Block Office communication application from creating child processes
"c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb", # Block use of copied or impersonated system tools
"a8f5898e-1dc8-49a9-9878-85004b8a61e6", # Block Webshell creation for Servers
"92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b", # Block Win32 API calls from Office macros
"C1DB55AB-C21A-4637-BB3F-A12568109D35" # Use advanced protection against ransomware
)
foreach ($id in $ASRRuleIDs) {