npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
Use this skill when:
- Configuring Microsoft Defender for Endpoint (MDE) beyond default settings for enhanced protection
- Implementing Attack Surface Reduction (ASR) rules to block common attack techniques
- Enabling controlled folder access for ransomware protection
- Configuring network protection and exploit protection features
- Deploying Defender settings via Intune, SCCM, or Group Policy at enterprise scale
Do not use this skill for third-party EDR deployment (CrowdStrike, SentinelOne) or for Microsoft Defender for Cloud (Azure workload protection).
Prerequisites
- Windows 10/11 Enterprise with Microsoft Defender Antivirus enabled
- Microsoft 365 E5 or Microsoft Defender for Endpoint Plan 2 license (for full MDE features)
- Microsoft Intune or SCCM for enterprise policy deployment
- Microsoft 365 Defender portal access (security.microsoft.com)
- Endpoints not running third-party AV in active mode (Defender enters passive mode)
Workflow
Step 1: Configure Attack Surface Reduction (ASR) Rules
ASR rules block specific behaviors commonly used by malware and attackers:
# Enable ASR rules via PowerShell (or deploy via Intune/GPO)
# Mode: 0=Disabled, 1=Block, 2=Audit, 6=Warn
# Block executable content from email client and webmail
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 `
-AttackSurfaceReductionRules_Actions 1
# Block all Office applications from creating child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
-AttackSurfaceReductionRules_Actions 1
# Block Office applications from creating executable content
Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 `
-AttackSurfaceReductionRules_Actions 1
# Block Office applications from injecting code into other processes
Set-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 `
-AttackSurfaceReductionRules_Actions 1
# Block JavaScript or VBScript from launching downloaded executable content
Set-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D `
-AttackSurfaceReductionRules_Actions 1
# Block execution of potentially obfuscated scripts
Set-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC `
-AttackSurfaceReductionRules_Actions 1
# Block Win32 API calls from Office macros
Set-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B `
-AttackSurfaceReductionRules_Actions 1
# Block credential stealing from Windows LSASS
Set-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 `
-AttackSurfaceReductionRules_Actions 1
# Block process creations from PSExec and WMI commands
Set-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C `
-AttackSurfaceReductionRules_Actions 1
# Block untrusted and unsigned processes from USB
Set-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 `
-AttackSurfaceReductionRules_Actions 1
# Block persistence through WMI event subscription
Set-MpPreference -AttackSurfaceReductionRules_Ids E6DB77E5-3DF2-4CF1-B95A-636979351E5B `
-AttackSurfaceReductionRules_Actions 1
# Block abuse of exploited vulnerable signed drivers
Set-MpPreference -AttackSurfaceReductionRules_Ids 56A863A9-875E-4185-98A7-B882C64B5CE5 `
-AttackSurfaceReductionRules_Actions 1Step 2: Configure Controlled Folder Access (Ransomware Protection)
# Enable Controlled Folder Access
Set-MpPreference -EnableControlledFolderAccess Enabled
# Default protected folders: Documents, Pictures, Videos, Music, Desktop, Favorites
# Add custom protected folders
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\CriticalData"
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\SharedDrives"
# Allow specific applications to access protected folders
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\CustomApp\app.exe"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\Backup\backup.exe"
# Set to Audit mode first to identify legitimate applications that need access
Set-MpPreference -EnableControlledFolderAccess AuditMode
# Event ID 1124 in Microsoft-Windows-Windows Defender/Operational logStep 3: Configure Network Protection
# Enable Network Protection (blocks connections to malicious domains/IPs)
Set-MpPreference -EnableNetworkProtection Enabled
# Network Protection leverages Microsoft SmartScreen intelligence
# Blocks: phishing sites, exploit hosting domains, C2 domains, malware download URLs
# Set to Audit mode first:
Set-MpPreference -EnableNetworkProtection AuditMode
# Event Log: Microsoft-Windows-Windows Defender/Operational, Event ID 1125
# Configure Web Content Filtering (requires MDE P2 license)
# Managed via Microsoft 365 Defender portal:
# Settings → Endpoints → Web content filtering → Add policy
# Categories to block: Malware, Phishing, Adult content, High bandwidthStep 4: Configure Exploit Protection
# Export current exploit protection settings
Get-ProcessMitigation -RegistryConfigFilePath "C:\Defender\current_mitigations.xml"
# Configure system-level mitigations
Set-ProcessMitigation -System -Enable DEP, SEHOP, ForceRelocateImages, BottomUp
# Configure per-application mitigations
# Example: Harden Microsoft Office against exploitation
Set-ProcessMitigation -Name "WINWORD.EXE" `
-Enable DEP, SEHOP, ForceRelocateImages, CFG, StrictHandle
Set-ProcessMitigation -Name "EXCEL.EXE" `
-Enable DEP, SEHOP, ForceRelocateImages, CFG, StrictHandle
Set-ProcessMitigation -Name "POWERPNT.EXE" `
-Enable DEP, SEHOP, ForceRelocateImages, CFG, StrictHandle
# Import exploit protection configuration from XML template
Set-ProcessMitigation -PolicyFilePath "C:\Defender\exploit_protection_template.xml"Step 5: Configure Cloud-Delivered Protection
# Enable cloud-delivered protection (real-time threat intelligence)
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
# Enable Block at First Sight (BAFS)
# Requires: Cloud protection enabled + sample submission enabled
Set-MpPreference -DisableBlockAtFirstSeen $false
# Set cloud block timeout to maximum (60 seconds)
Set-MpPreference -CloudBlockLevel High
Set-MpPreference -CloudExtendedTimeout 50
# Enable potentially unwanted application (PUA) protection
Set-MpPreference -PUAProtection EnabledStep 6: Configure Scan and Update Settings
# Configure real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableBehaviorMonitoring $false
Set-MpPreference -DisableIOAVProtection $false
Set-MpPreference -DisableScriptScanning $false
# Configure scheduled scan
Set-MpPreference -ScanScheduleQuickScanTime 12:00:00
Set-MpPreference -ScanParameters QuickScan
Set-MpPreference -ScanScheduleDay 0 # Every day
Set-MpPreference -RemediationScheduleDay 0
# Configure signature updates
Set-MpPreference -SignatureUpdateInterval 1 # Check every hour
Set-MpPreference -SignatureFallbackOrder "MicrosoftUpdateServer|MMPC"
# Enable tamper protection (prevents unauthorized changes to Defender settings)
# Managed via Microsoft 365 Defender portal:
# Settings → Endpoints → Advanced features → Tamper Protection: OnStep 7: Deploy via Intune (Enterprise)
Intune Deployment Path:
1. Endpoint Security → Attack Surface Reduction → Create Profile
- Platform: Windows 10 and later
- Profile: Attack surface reduction rules
- Configure each ASR rule to Block or Audit
2. Endpoint Security → Antivirus → Create Profile
- Microsoft Defender Antivirus
- Configure: Cloud protection, PUA, real-time protection
3. Endpoint Security → Antivirus → Create Profile
- Microsoft Defender Antivirus Exclusions
- Add path/process/extension exclusions for LOB apps
4. Devices → Configuration profiles → Create profile
- Endpoint protection → Microsoft Defender Exploit Guard
- Configure: Controlled Folder Access, Network ProtectionStep 8: Monitor in Microsoft 365 Defender Portal
Dashboard monitoring:
1. security.microsoft.com → Reports → Endpoints
- Device health: Protection status across fleet
- ASR rule detections: Which rules are triggering
- Vulnerable devices: Missing security updates
2. Threat analytics:
- Active threat campaigns and Defender coverage
- Recommended security actions
3. Advanced hunting (KQL):
DeviceEvents
| where ActionType startswith "Asr"
| summarize Count=count() by ActionType, FileName
| sort by Count desc
DeviceEvents
| where ActionType == "ControlledFolderAccessViolationBlocked"
| project Timestamp, DeviceName, FileName, FolderPathKey Concepts
| Term | Definition |
|---|---|
| ASR Rules | Attack Surface Reduction rules that block specific high-risk behaviors at the endpoint level |
| Controlled Folder Access | Ransomware protection feature that prevents unauthorized applications from modifying files in protected folders |
| Network Protection | Blocks outbound connections to low-reputation or known-malicious domains using SmartScreen intelligence |
| Exploit Protection | System and per-application memory mitigations (DEP, ASLR, CFG) to prevent exploitation |
| BAFS (Block at First Sight) | Cloud-based zero-day protection that holds suspicious files for cloud analysis before allowing execution |
| Tamper Protection | Prevents unauthorized changes to Defender security settings, even by local administrators |
Tools & Systems
- Microsoft 365 Defender Portal: security.microsoft.com for centralized management and reporting
- Microsoft Intune: Cloud-based endpoint management for Defender policy deployment
- PowerShell (Set-MpPreference): Local configuration of Defender settings
- WDAC (Windows Defender Application Control): Complementary application control technology
- Microsoft Defender for Endpoint API: REST API for automation and custom integrations
Common Pitfalls
- Enabling all ASR rules in Block mode immediately: Some ASR rules cause false positives with legitimate software (Office macros, admin scripts). Always deploy in Audit mode first and monitor for 2-4 weeks.
- Not configuring Controlled Folder Access exclusions: Backup software, database applications, and development tools may be blocked from writing to protected folders. Add exclusions proactively.
- Ignoring tamper protection: Without tamper protection, malware or insiders can disable Defender via PowerShell or registry edits. Enable tamper protection through the M365 Defender portal.
- Running Defender alongside third-party AV: Defender enters passive mode when third-party AV is present. Ensure you are using the intended AV solution and configure Defender appropriately (EDR-only mode if keeping third-party AV).
- Forgetting cloud connectivity requirements: Cloud-delivered protection and BAFS require endpoints to reach Microsoft cloud services. Verify proxy/firewall rules allow Defender cloud traffic.
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.3 KB
Windows Defender Advanced Settings — API Reference
PowerShell Cmdlets
| Cmdlet | Description |
|---|---|
Get-MpComputerStatus |
Defender service status, signature version |
Get-MpPreference |
All Defender configuration preferences |
Set-MpPreference |
Modify Defender settings |
Get-MpThreatDetection |
Recent threat detections |
Add-MpPreference -AttackSurfaceReductionRules_Ids |
Enable ASR rules |
Critical ASR Rule GUIDs
| GUID | Rule |
|---|---|
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 |
Block executable from email |
d4f940ab-401b-4efc-aadc-ad5f3c50688a |
Block Office child processes |
3b576869-a4ec-4529-8536-b80a7769e899 |
Block Office executable creation |
5beb7efe-fd9a-4556-801d-275e5ffc04cc |
Block obfuscated scripts |
56a863a9-875e-4185-98a7-b882c64b5ce5 |
Block exploited signed drivers |
ASR Rule Actions
| Value | Action |
|---|---|
| 0 | Disabled |
| 1 | Block |
| 2 | Audit |
| 6 | Warn |
External References
standards.md3.2 KB
Standards & References - Configuring Windows Defender Advanced Settings
Primary Standards
Microsoft Defender for Endpoint Documentation
- Publisher: Microsoft
- URL: https://learn.microsoft.com/en-us/defender-endpoint/
- Scope: Complete reference for MDE deployment, configuration, and management
- Key sections: ASR rules, exploit protection, network protection, controlled folder access
MITRE ATT&CK Mapping for ASR Rules
- Relevance: Each ASR rule maps to specific ATT&CK techniques it mitigates
- Key mappings:
- Block Office child processes → T1566.001 (Spearphishing Attachment)
- Block credential stealing from LSASS → T1003.001 (OS Credential Dumping: LSASS)
- Block PSExec/WMI → T1047 (WMI), T1570 (Lateral Tool Transfer)
- Block WMI persistence → T1546.003 (WMI Event Subscription)
CIS Microsoft Windows 11 Benchmark - Section 18.10
- Publisher: CIS
- Relevance: CIS benchmark sections covering Windows Defender configuration settings
Compliance Mappings
| Framework | Requirement | MDE Coverage |
|---|---|---|
| PCI DSS 4.0 | 5.2 - Anti-malware mechanisms | Defender AV + ASR rules + cloud protection |
| PCI DSS 4.0 | 5.3.1 - Anti-malware kept current | Automatic signature and engine updates |
| NIST 800-53 | SI-3 Malicious Code Protection | Defender real-time protection + BAFS |
| NIST 800-53 | SI-4 System Monitoring | MDE telemetry + advanced hunting |
| HIPAA | 164.308(a)(5)(ii)(B) - Malware protection | Defender AV + ransomware protection |
| ISO 27001 | A.12.2.1 - Controls against malware | Full MDE stack |
| ACSC E8 | Configure Microsoft Office macro settings | ASR rules for Office macro blocking |
ASR Rule Reference
| GUID | Rule Name | Recommended Mode |
|---|---|---|
| BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Block executable content from email | Block |
| D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Block Office child processes | Block |
| 3B576869-A4EC-4529-8536-B80A7769E899 | Block Office from creating executables | Block |
| 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Block Office from injecting into processes | Block |
| D3E037E1-3EB8-44C8-A917-57927947596D | Block JS/VBS launching executables | Block |
| 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Block obfuscated scripts | Audit first |
| 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Block Win32 API calls from macros | Block |
| 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 | Block credential stealing from LSASS | Block |
| D1E49AAC-8F56-4280-B9BA-993A6D77406C | Block PSExec/WMI process creation | Audit first |
| B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 | Block untrusted USB processes | Block |
| E6DB77E5-3DF2-4CF1-B95A-636979351E5B | Block WMI event subscription persistence | Block |
| 56A863A9-875E-4185-98A7-B882C64B5CE5 | Block vulnerable signed drivers | Block |
Supporting References
- ASR Rules Reference: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
- Controlled Folder Access: https://learn.microsoft.com/en-us/defender-endpoint/controlled-folders
- Network Protection: https://learn.microsoft.com/en-us/defender-endpoint/network-protection
- Exploit Protection: https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection
workflows.md3.0 KB
Workflows - Configuring Windows Defender Advanced Settings
Workflow 1: ASR Rule Deployment
[Identify ASR rules to deploy]
│
▼
[Deploy all rules in Audit mode via Intune/GPO]
│
▼
[Monitor ASR audit events for 2-4 weeks]
│
├── Review events in M365 Defender portal
├── Identify false positives per rule
│
▼
[Create exclusions for legitimate applications]
│
▼
[Switch low-risk rules to Block mode]
│ (Office rules, email content, USB)
│
▼
[Monitor for 1 week]
│
├── No issues ──► [Switch remaining rules to Block mode]
│
└── Issues found ──► [Add exclusions, maintain Audit mode for affected rules]
│
▼
[Re-evaluate after 2 weeks]Workflow 2: Controlled Folder Access Deployment
[Enable Controlled Folder Access in Audit mode]
│
▼
[Monitor Event ID 1124 for blocked write attempts]
│
▼
[Categorize blocked applications]
│
├── Legitimate business app ──► [Add to allowed applications list]
│
├── Backup/sync software ──► [Add to allowed applications list]
│
└── Unknown/suspicious ──► [Investigate, potentially malicious]
│
▼
[Switch to Enabled (Block) mode]
│
▼
[Add custom protected folders beyond defaults]
│
▼
[Ongoing monitoring via M365 Defender dashboard]Workflow 3: Defender Configuration Audit
[Quarterly Defender Configuration Review]
│
▼
[Export current Defender settings from all endpoints]
│
├── PowerShell: Get-MpPreference | Export-Clixml
├── Intune: Endpoint security reports
│
▼
[Compare against security baseline]
│
├── All settings match baseline ──► [Document compliance, next review]
│
└── Drift detected ──► [Investigate cause]
│
├── Unauthorized change ──► [Security incident, restore settings]
│
└── Authorized exception ──► [Document, update baseline]Workflow 4: False Positive Handling
[User reports blocked application]
│
▼
[Identify which Defender feature blocked it]
│
├── ASR rule ──► [Check ASR event log for specific rule GUID]
│ │
│ ▼
│ [Create ASR exclusion for file/folder/process]
│
├── Controlled Folder ──► [Add application to allowed list]
│
├── Network Protection ──► [Review URL/domain, submit false positive to Microsoft]
│
└── Real-time AV ──► [Submit file for analysis, create AV exclusion if clean]
│
▼
[Deploy exclusion via Intune/GPO]
│
▼
[Verify application works, document exclusion]Scripts 2
agent.py5.0 KB
#!/usr/bin/env python3
"""Windows Defender advanced configuration audit agent."""
import json
import argparse
import subprocess
from datetime import datetime
def get_defender_status():
"""Get Windows Defender status via PowerShell."""
cmd = ["powershell", "-Command", "Get-MpComputerStatus | ConvertTo-Json"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
return json.loads(result.stdout) if result.stdout.strip() else {"error": "No output"}
except (FileNotFoundError, json.JSONDecodeError, subprocess.TimeoutExpired) as e:
return {"error": str(e)}
def get_defender_preferences():
"""Get Windows Defender preference settings."""
cmd = ["powershell", "-Command", "Get-MpPreference | ConvertTo-Json"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
return json.loads(result.stdout) if result.stdout.strip() else {"error": "No output"}
except (FileNotFoundError, json.JSONDecodeError, subprocess.TimeoutExpired) as e:
return {"error": str(e)}
def audit_asr_rules():
"""Audit Attack Surface Reduction rules configuration."""
cmd = ["powershell", "-Command",
"Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids | ConvertTo-Json"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
rule_ids = json.loads(result.stdout) if result.stdout.strip() else []
except (FileNotFoundError, json.JSONDecodeError):
rule_ids = []
critical_asr_rules = {
"be9ba2d9-53ea-4cdc-84e5-9b1eeee46550": "Block executable content from email and webmail",
"d4f940ab-401b-4efc-aadc-ad5f3c50688a": "Block all Office applications from creating child processes",
"3b576869-a4ec-4529-8536-b80a7769e899": "Block Office applications from creating executable content",
"75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84": "Block Office applications from injecting code",
"d3e037e1-3eb8-44c8-a917-57927947596d": "Block JavaScript or VBScript from launching downloaded content",
"5beb7efe-fd9a-4556-801d-275e5ffc04cc": "Block execution of potentially obfuscated scripts",
"92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b": "Block Win32 API calls from Office macros",
"56a863a9-875e-4185-98a7-b882c64b5ce5": "Block abuse of exploited vulnerable signed drivers",
}
configured = set(rule_ids) if isinstance(rule_ids, list) else set()
missing = []
for rule_id, desc in critical_asr_rules.items():
if rule_id not in configured:
missing.append({"rule_id": rule_id, "description": desc, "severity": "HIGH"})
return {"configured_count": len(configured), "missing_critical": missing}
def check_tamper_protection():
"""Check tamper protection status."""
cmd = ["powershell", "-Command",
"(Get-MpComputerStatus).IsTamperProtected"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
enabled = "true" in result.stdout.strip().lower()
return {"tamper_protection": enabled,
"severity": "CRITICAL" if not enabled else "INFO"}
except (FileNotFoundError, subprocess.TimeoutExpired):
return {"error": "Cannot check tamper protection"}
def run_audit():
"""Execute Windows Defender audit."""
print(f"\n{'='*60}")
print(f" WINDOWS DEFENDER ADVANCED SETTINGS AUDIT")
print(f" Generated: {datetime.utcnow().isoformat()} UTC")
print(f"{'='*60}\n")
status = get_defender_status()
print(f"--- DEFENDER STATUS ---")
if "error" not in status:
print(f" Real-time protection: {status.get('RealTimeProtectionEnabled', 'N/A')}")
print(f" Behavior monitoring: {status.get('BehaviorMonitorEnabled', 'N/A')}")
print(f" Cloud protection: {status.get('OnAccessProtectionEnabled', 'N/A')}")
print(f" Signature version: {status.get('AntivirusSignatureVersion', 'N/A')}")
asr = audit_asr_rules()
print(f"\n--- ASR RULES ---")
print(f" Configured: {asr['configured_count']}")
print(f" Missing critical: {len(asr['missing_critical'])}")
for rule in asr["missing_critical"][:5]:
print(f" [{rule['severity']}] {rule['description']}")
tamper = check_tamper_protection()
print(f"\n--- TAMPER PROTECTION ---")
print(f" Enabled: {tamper.get('tamper_protection', 'N/A')}")
return {"status": status, "asr": asr, "tamper": tamper}
def main():
parser = argparse.ArgumentParser(description="Windows Defender Audit Agent")
parser.add_argument("--audit", action="store_true", help="Run full audit")
parser.add_argument("--output", help="Save report to JSON file")
args = parser.parse_args()
if args.audit:
report = run_audit()
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[+] Report saved to {args.output}")
else:
parser.print_help()
if __name__ == "__main__":
main()
process.py9.3 KB
#!/usr/bin/env python3
"""
Windows Defender Configuration Auditor
Collects and audits Microsoft Defender for Endpoint settings across endpoints,
identifies configuration gaps, and generates compliance reports.
"""
import json
import subprocess
import sys
import os
from datetime import datetime
RECOMMENDED_SETTINGS = {
"RealTimeProtectionEnabled": True,
"BehaviorMonitoringEnabled": True,
"IoavProtectionEnabled": True,
"AntispywareEnabled": True,
"AntivirusEnabled": True,
"MAPSReporting": 2, # Advanced
"SubmitSamplesConsent": 3, # SendAllSamples
"PUAProtection": 1, # Enabled
"DisableBlockAtFirstSeen": False,
"CloudBlockLevel": 2, # High
"CloudExtendedTimeout": 50,
"EnableNetworkProtection": 1, # Enabled
"EnableControlledFolderAccess": 1, # Enabled
"SignatureUpdateInterval": 1, # Hourly
}
RECOMMENDED_ASR_RULES = {
"BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550": {"name": "Block executable content from email", "mode": 1},
"D4F940AB-401B-4EFC-AADC-AD5F3C50688A": {"name": "Block Office child processes", "mode": 1},
"3B576869-A4EC-4529-8536-B80A7769E899": {"name": "Block Office executable creation", "mode": 1},
"75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84": {"name": "Block Office code injection", "mode": 1},
"D3E037E1-3EB8-44C8-A917-57927947596D": {"name": "Block JS/VBS launching executables", "mode": 1},
"5BEB7EFE-FD9A-4556-801D-275E5FFC04CC": {"name": "Block obfuscated scripts", "mode": 1},
"92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B": {"name": "Block Win32 API from macros", "mode": 1},
"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2": {"name": "Block LSASS credential stealing", "mode": 1},
"D1E49AAC-8F56-4280-B9BA-993A6D77406C": {"name": "Block PSExec/WMI processes", "mode": 1},
"B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4": {"name": "Block untrusted USB processes", "mode": 1},
"E6DB77E5-3DF2-4CF1-B95A-636979351E5B": {"name": "Block WMI persistence", "mode": 1},
"56A863A9-875E-4185-98A7-B882C64B5CE5": {"name": "Block vulnerable signed drivers", "mode": 1},
}
def collect_defender_settings() -> dict:
"""Collect current Defender settings via PowerShell."""
ps_cmd = """
$prefs = Get-MpPreference
$status = Get-MpComputerStatus
$result = @{
Preferences = @{
RealTimeProtectionEnabled = $prefs.DisableRealtimeMonitoring -eq $false
BehaviorMonitoringEnabled = $prefs.DisableBehaviorMonitoring -eq $false
IoavProtectionEnabled = $prefs.DisableIOAVProtection -eq $false
AntispywareEnabled = $status.AntispywareEnabled
AntivirusEnabled = $status.AntivirusEnabled
MAPSReporting = $prefs.MAPSReporting
SubmitSamplesConsent = $prefs.SubmitSamplesConsent
PUAProtection = $prefs.PUAProtection
DisableBlockAtFirstSeen = $prefs.DisableBlockAtFirstSeen
CloudBlockLevel = $prefs.CloudBlockLevel
CloudExtendedTimeout = $prefs.CloudExtendedTimeout
EnableNetworkProtection = $prefs.EnableNetworkProtection
EnableControlledFolderAccess = $prefs.EnableControlledFolderAccess
SignatureUpdateInterval = $prefs.SignatureUpdateInterval
}
ASRRules = @{}
Status = @{
AMEngineVersion = $status.AMEngineVersion
AMProductVersion = $status.AMProductVersion
AntispywareSignatureVersion = $status.AntispywareSignatureVersion
AntivirusSignatureVersion = $status.AntivirusSignatureVersion
AntivirusSignatureLastUpdated = $status.AntivirusSignatureLastUpdated.ToString('o')
FullScanEndTime = if($status.FullScanEndTime) { $status.FullScanEndTime.ToString('o') } else { 'Never' }
QuickScanEndTime = if($status.QuickScanEndTime) { $status.QuickScanEndTime.ToString('o') } else { 'Never' }
RealTimeProtectionEnabled = $status.RealTimeProtectionEnabled
TamperProtectionSource = $status.IsTamperProtected
}
}
$ids = $prefs.AttackSurfaceReductionRules_Ids
$actions = $prefs.AttackSurfaceReductionRules_Actions
if ($ids -and $actions) {
for ($i=0; $i -lt $ids.Count; $i++) {
$result.ASRRules[$ids[$i].ToString().ToUpper()] = $actions[$i]
}
}
$result | ConvertTo-Json -Depth 3
"""
try:
result = subprocess.run(
["powershell", "-NoProfile", "-Command", ps_cmd],
capture_output=True, text=True, timeout=30,
)
if result.returncode == 0 and result.stdout.strip():
return json.loads(result.stdout)
else:
return {"error": result.stderr or "Failed to collect Defender settings"}
except FileNotFoundError:
return {"error": "PowerShell not available (requires Windows)"}
except subprocess.TimeoutExpired:
return {"error": "PowerShell command timed out"}
except json.JSONDecodeError as e:
return {"error": f"Failed to parse PowerShell output: {e}"}
def audit_settings(settings: dict) -> dict:
"""Audit collected settings against recommended baseline."""
findings = {
"compliant": [],
"non_compliant": [],
"asr_rules": {
"enabled_block": [],
"enabled_audit": [],
"disabled": [],
"missing": [],
},
"score": 0.0,
}
prefs = settings.get("Preferences", {})
total_checks = 0
passed_checks = 0
for setting, expected in RECOMMENDED_SETTINGS.items():
total_checks += 1
actual = prefs.get(setting)
if actual == expected:
passed_checks += 1
findings["compliant"].append({
"setting": setting,
"expected": expected,
"actual": actual,
})
else:
findings["non_compliant"].append({
"setting": setting,
"expected": expected,
"actual": actual,
"severity": "high" if setting in (
"RealTimeProtectionEnabled", "AntivirusEnabled",
"EnableNetworkProtection", "MAPSReporting",
) else "medium",
})
asr_rules = settings.get("ASRRules", {})
for rule_guid, rule_info in RECOMMENDED_ASR_RULES.items():
total_checks += 1
mode = asr_rules.get(rule_guid)
if mode == 1:
passed_checks += 1
findings["asr_rules"]["enabled_block"].append({
"guid": rule_guid, "name": rule_info["name"],
})
elif mode == 2:
findings["asr_rules"]["enabled_audit"].append({
"guid": rule_guid, "name": rule_info["name"],
})
elif mode == 0:
findings["asr_rules"]["disabled"].append({
"guid": rule_guid, "name": rule_info["name"],
})
else:
findings["asr_rules"]["missing"].append({
"guid": rule_guid, "name": rule_info["name"],
})
if total_checks > 0:
findings["score"] = round((passed_checks / total_checks) * 100, 2)
return findings
def generate_report(settings: dict, findings: dict, output_path: str) -> None:
"""Generate configuration audit report."""
report = {
"report_generated": datetime.utcnow().isoformat() + "Z",
"defender_status": settings.get("Status", {}),
"compliance_score": findings["score"],
"total_compliant": len(findings["compliant"]),
"total_non_compliant": len(findings["non_compliant"]),
"asr_summary": {
"block_mode": len(findings["asr_rules"]["enabled_block"]),
"audit_mode": len(findings["asr_rules"]["enabled_audit"]),
"disabled": len(findings["asr_rules"]["disabled"]),
"not_configured": len(findings["asr_rules"]["missing"]),
},
"non_compliant_settings": findings["non_compliant"],
"asr_details": findings["asr_rules"],
}
with open(output_path, "w", encoding="utf-8") as f:
json.dump(report, f, indent=2)
if __name__ == "__main__":
output_dir = sys.argv[1] if len(sys.argv) > 1 else "."
print("Collecting Microsoft Defender settings...")
settings = collect_defender_settings()
if "error" in settings:
print(f"Error: {settings['error']}")
print("This tool requires Windows with Microsoft Defender for Endpoint.")
sys.exit(1)
print("Auditing against recommended baseline...")
findings = audit_settings(settings)
report_path = os.path.join(output_dir, "defender_audit_report.json")
generate_report(settings, findings, report_path)
print(f"Audit report: {report_path}")
print(f"\n--- Defender Configuration Audit ---")
print(f"Compliance Score: {findings['score']}%")
print(f"Compliant settings: {len(findings['compliant'])}")
print(f"Non-compliant: {len(findings['non_compliant'])}")
print(f"\nASR Rules:")
print(f" Block mode: {len(findings['asr_rules']['enabled_block'])}")
print(f" Audit mode: {len(findings['asr_rules']['enabled_audit'])}")
print(f" Disabled: {len(findings['asr_rules']['disabled'])}")
print(f" Not configured: {len(findings['asr_rules']['missing'])}")
if findings["non_compliant"]:
print(f"\nNon-compliant settings requiring remediation:")
for item in findings["non_compliant"]:
print(f" [{item['severity'].upper()}] {item['setting']}: expected={item['expected']}, actual={item['actual']}")