endpoint security

Configuring Windows Defender Advanced Settings

Configures Microsoft Defender for Endpoint (MDE) advanced protection settings including attack surface reduction rules, controlled folder access, network protection, and exploit protection. Use when hardening Windows endpoints beyond default Defender settings, deploying enterprise-grade endpoint protection, or meeting compliance requirements for advanced malware defense. Activates for requests involving Windows Defender configuration, ASR rules, MDE tuning, or Microsoft endpoint security.

asrendpointexploit-protectionmdemicrosoft-defenderwindows-security
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • Configuring Microsoft Defender for Endpoint (MDE) beyond default settings for enhanced protection
  • Implementing Attack Surface Reduction (ASR) rules to block common attack techniques
  • Enabling controlled folder access for ransomware protection
  • Configuring network protection and exploit protection features
  • Deploying Defender settings via Intune, SCCM, or Group Policy at enterprise scale

Do not use this skill for third-party EDR deployment (CrowdStrike, SentinelOne) or for Microsoft Defender for Cloud (Azure workload protection).

Prerequisites

  • Windows 10/11 Enterprise with Microsoft Defender Antivirus enabled
  • Microsoft 365 E5 or Microsoft Defender for Endpoint Plan 2 license (for full MDE features)
  • Microsoft Intune or SCCM for enterprise policy deployment
  • Microsoft 365 Defender portal access (security.microsoft.com)
  • Endpoints not running third-party AV in active mode (Defender enters passive mode)

Workflow

Step 1: Configure Attack Surface Reduction (ASR) Rules

ASR rules block specific behaviors commonly used by malware and attackers:

# Enable ASR rules via PowerShell (or deploy via Intune/GPO)
# Mode: 0=Disabled, 1=Block, 2=Audit, 6=Warn
 
# Block executable content from email client and webmail
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 `
  -AttackSurfaceReductionRules_Actions 1
 
# Block all Office applications from creating child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
  -AttackSurfaceReductionRules_Actions 1
 
# Block Office applications from creating executable content
Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 `
  -AttackSurfaceReductionRules_Actions 1
 
# Block Office applications from injecting code into other processes
Set-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 `
  -AttackSurfaceReductionRules_Actions 1
 
# Block JavaScript or VBScript from launching downloaded executable content
Set-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D `
  -AttackSurfaceReductionRules_Actions 1
 
# Block execution of potentially obfuscated scripts
Set-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC `
  -AttackSurfaceReductionRules_Actions 1
 
# Block Win32 API calls from Office macros
Set-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B `
  -AttackSurfaceReductionRules_Actions 1
 
# Block credential stealing from Windows LSASS
Set-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 `
  -AttackSurfaceReductionRules_Actions 1
 
# Block process creations from PSExec and WMI commands
Set-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C `
  -AttackSurfaceReductionRules_Actions 1
 
# Block untrusted and unsigned processes from USB
Set-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 `
  -AttackSurfaceReductionRules_Actions 1
 
# Block persistence through WMI event subscription
Set-MpPreference -AttackSurfaceReductionRules_Ids E6DB77E5-3DF2-4CF1-B95A-636979351E5B `
  -AttackSurfaceReductionRules_Actions 1
 
# Block abuse of exploited vulnerable signed drivers
Set-MpPreference -AttackSurfaceReductionRules_Ids 56A863A9-875E-4185-98A7-B882C64B5CE5 `
  -AttackSurfaceReductionRules_Actions 1

Step 2: Configure Controlled Folder Access (Ransomware Protection)

# Enable Controlled Folder Access
Set-MpPreference -EnableControlledFolderAccess Enabled
 
# Default protected folders: Documents, Pictures, Videos, Music, Desktop, Favorites
# Add custom protected folders
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\CriticalData"
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\SharedDrives"
 
# Allow specific applications to access protected folders
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\CustomApp\app.exe"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\Backup\backup.exe"
 
# Set to Audit mode first to identify legitimate applications that need access
Set-MpPreference -EnableControlledFolderAccess AuditMode
# Event ID 1124 in Microsoft-Windows-Windows Defender/Operational log

Step 3: Configure Network Protection

# Enable Network Protection (blocks connections to malicious domains/IPs)
Set-MpPreference -EnableNetworkProtection Enabled
 
# Network Protection leverages Microsoft SmartScreen intelligence
# Blocks: phishing sites, exploit hosting domains, C2 domains, malware download URLs
 
# Set to Audit mode first:
Set-MpPreference -EnableNetworkProtection AuditMode
# Event Log: Microsoft-Windows-Windows Defender/Operational, Event ID 1125
 
# Configure Web Content Filtering (requires MDE P2 license)
# Managed via Microsoft 365 Defender portal:
# Settings → Endpoints → Web content filtering → Add policy
# Categories to block: Malware, Phishing, Adult content, High bandwidth

Step 4: Configure Exploit Protection

# Export current exploit protection settings
Get-ProcessMitigation -RegistryConfigFilePath "C:\Defender\current_mitigations.xml"
 
# Configure system-level mitigations
Set-ProcessMitigation -System -Enable DEP, SEHOP, ForceRelocateImages, BottomUp
 
# Configure per-application mitigations
# Example: Harden Microsoft Office against exploitation
Set-ProcessMitigation -Name "WINWORD.EXE" `
  -Enable DEP, SEHOP, ForceRelocateImages, CFG, StrictHandle
 
Set-ProcessMitigation -Name "EXCEL.EXE" `
  -Enable DEP, SEHOP, ForceRelocateImages, CFG, StrictHandle
 
Set-ProcessMitigation -Name "POWERPNT.EXE" `
  -Enable DEP, SEHOP, ForceRelocateImages, CFG, StrictHandle
 
# Import exploit protection configuration from XML template
Set-ProcessMitigation -PolicyFilePath "C:\Defender\exploit_protection_template.xml"

Step 5: Configure Cloud-Delivered Protection

# Enable cloud-delivered protection (real-time threat intelligence)
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
 
# Enable Block at First Sight (BAFS)
# Requires: Cloud protection enabled + sample submission enabled
Set-MpPreference -DisableBlockAtFirstSeen $false
 
# Set cloud block timeout to maximum (60 seconds)
Set-MpPreference -CloudBlockLevel High
Set-MpPreference -CloudExtendedTimeout 50
 
# Enable potentially unwanted application (PUA) protection
Set-MpPreference -PUAProtection Enabled

Step 6: Configure Scan and Update Settings

# Configure real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableBehaviorMonitoring $false
Set-MpPreference -DisableIOAVProtection $false
Set-MpPreference -DisableScriptScanning $false
 
# Configure scheduled scan
Set-MpPreference -ScanScheduleQuickScanTime 12:00:00
Set-MpPreference -ScanParameters QuickScan
Set-MpPreference -ScanScheduleDay 0  # Every day
Set-MpPreference -RemediationScheduleDay 0
 
# Configure signature updates
Set-MpPreference -SignatureUpdateInterval 1  # Check every hour
Set-MpPreference -SignatureFallbackOrder "MicrosoftUpdateServer|MMPC"
 
# Enable tamper protection (prevents unauthorized changes to Defender settings)
# Managed via Microsoft 365 Defender portal:
# Settings → Endpoints → Advanced features → Tamper Protection: On

Step 7: Deploy via Intune (Enterprise)

Intune Deployment Path:
1. Endpoint Security → Attack Surface Reduction → Create Profile
   - Platform: Windows 10 and later
   - Profile: Attack surface reduction rules
   - Configure each ASR rule to Block or Audit
 
2. Endpoint Security → Antivirus → Create Profile
   - Microsoft Defender Antivirus
   - Configure: Cloud protection, PUA, real-time protection
 
3. Endpoint Security → Antivirus → Create Profile
   - Microsoft Defender Antivirus Exclusions
   - Add path/process/extension exclusions for LOB apps
 
4. Devices → Configuration profiles → Create profile
   - Endpoint protection → Microsoft Defender Exploit Guard
   - Configure: Controlled Folder Access, Network Protection

Step 8: Monitor in Microsoft 365 Defender Portal

Dashboard monitoring:
1. security.microsoft.com → Reports → Endpoints
   - Device health: Protection status across fleet
   - ASR rule detections: Which rules are triggering
   - Vulnerable devices: Missing security updates
 
2. Threat analytics:
   - Active threat campaigns and Defender coverage
   - Recommended security actions
 
3. Advanced hunting (KQL):
   DeviceEvents
   | where ActionType startswith "Asr"
   | summarize Count=count() by ActionType, FileName
   | sort by Count desc
 
   DeviceEvents
   | where ActionType == "ControlledFolderAccessViolationBlocked"
   | project Timestamp, DeviceName, FileName, FolderPath

Key Concepts

Term Definition
ASR Rules Attack Surface Reduction rules that block specific high-risk behaviors at the endpoint level
Controlled Folder Access Ransomware protection feature that prevents unauthorized applications from modifying files in protected folders
Network Protection Blocks outbound connections to low-reputation or known-malicious domains using SmartScreen intelligence
Exploit Protection System and per-application memory mitigations (DEP, ASLR, CFG) to prevent exploitation
BAFS (Block at First Sight) Cloud-based zero-day protection that holds suspicious files for cloud analysis before allowing execution
Tamper Protection Prevents unauthorized changes to Defender security settings, even by local administrators

Tools & Systems

  • Microsoft 365 Defender Portal: security.microsoft.com for centralized management and reporting
  • Microsoft Intune: Cloud-based endpoint management for Defender policy deployment
  • PowerShell (Set-MpPreference): Local configuration of Defender settings
  • WDAC (Windows Defender Application Control): Complementary application control technology
  • Microsoft Defender for Endpoint API: REST API for automation and custom integrations

Common Pitfalls

  • Enabling all ASR rules in Block mode immediately: Some ASR rules cause false positives with legitimate software (Office macros, admin scripts). Always deploy in Audit mode first and monitor for 2-4 weeks.
  • Not configuring Controlled Folder Access exclusions: Backup software, database applications, and development tools may be blocked from writing to protected folders. Add exclusions proactively.
  • Ignoring tamper protection: Without tamper protection, malware or insiders can disable Defender via PowerShell or registry edits. Enable tamper protection through the M365 Defender portal.
  • Running Defender alongside third-party AV: Defender enters passive mode when third-party AV is present. Ensure you are using the intended AV solution and configure Defender appropriately (EDR-only mode if keeping third-party AV).
  • Forgetting cloud connectivity requirements: Cloud-delivered protection and BAFS require endpoints to reach Microsoft cloud services. Verify proxy/firewall rules allow Defender cloud traffic.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.3 KB

Windows Defender Advanced Settings — API Reference

PowerShell Cmdlets

Cmdlet Description
Get-MpComputerStatus Defender service status, signature version
Get-MpPreference All Defender configuration preferences
Set-MpPreference Modify Defender settings
Get-MpThreatDetection Recent threat detections
Add-MpPreference -AttackSurfaceReductionRules_Ids Enable ASR rules

Critical ASR Rule GUIDs

GUID Rule
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 Block executable from email
d4f940ab-401b-4efc-aadc-ad5f3c50688a Block Office child processes
3b576869-a4ec-4529-8536-b80a7769e899 Block Office executable creation
5beb7efe-fd9a-4556-801d-275e5ffc04cc Block obfuscated scripts
56a863a9-875e-4185-98a7-b882c64b5ce5 Block exploited signed drivers

ASR Rule Actions

Value Action
0 Disabled
1 Block
2 Audit
6 Warn

External References

standards.md3.2 KB

Standards & References - Configuring Windows Defender Advanced Settings

Primary Standards

Microsoft Defender for Endpoint Documentation

MITRE ATT&CK Mapping for ASR Rules

  • Relevance: Each ASR rule maps to specific ATT&CK techniques it mitigates
  • Key mappings:
    • Block Office child processes → T1566.001 (Spearphishing Attachment)
    • Block credential stealing from LSASS → T1003.001 (OS Credential Dumping: LSASS)
    • Block PSExec/WMI → T1047 (WMI), T1570 (Lateral Tool Transfer)
    • Block WMI persistence → T1546.003 (WMI Event Subscription)

CIS Microsoft Windows 11 Benchmark - Section 18.10

  • Publisher: CIS
  • Relevance: CIS benchmark sections covering Windows Defender configuration settings

Compliance Mappings

Framework Requirement MDE Coverage
PCI DSS 4.0 5.2 - Anti-malware mechanisms Defender AV + ASR rules + cloud protection
PCI DSS 4.0 5.3.1 - Anti-malware kept current Automatic signature and engine updates
NIST 800-53 SI-3 Malicious Code Protection Defender real-time protection + BAFS
NIST 800-53 SI-4 System Monitoring MDE telemetry + advanced hunting
HIPAA 164.308(a)(5)(ii)(B) - Malware protection Defender AV + ransomware protection
ISO 27001 A.12.2.1 - Controls against malware Full MDE stack
ACSC E8 Configure Microsoft Office macro settings ASR rules for Office macro blocking

ASR Rule Reference

GUID Rule Name Recommended Mode
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email Block
D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office child processes Block
3B576869-A4EC-4529-8536-B80A7769E899 Block Office from creating executables Block
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office from injecting into processes Block
D3E037E1-3EB8-44C8-A917-57927947596D Block JS/VBS launching executables Block
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block obfuscated scripts Audit first
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from macros Block
9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 Block credential stealing from LSASS Block
D1E49AAC-8F56-4280-B9BA-993A6D77406C Block PSExec/WMI process creation Audit first
B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 Block untrusted USB processes Block
E6DB77E5-3DF2-4CF1-B95A-636979351E5B Block WMI event subscription persistence Block
56A863A9-875E-4185-98A7-B882C64B5CE5 Block vulnerable signed drivers Block

Supporting References

workflows.md3.0 KB

Workflows - Configuring Windows Defender Advanced Settings

Workflow 1: ASR Rule Deployment

[Identify ASR rules to deploy]


[Deploy all rules in Audit mode via Intune/GPO]


[Monitor ASR audit events for 2-4 weeks]

    ├── Review events in M365 Defender portal
    ├── Identify false positives per rule


[Create exclusions for legitimate applications]


[Switch low-risk rules to Block mode]
    │  (Office rules, email content, USB)


[Monitor for 1 week]

    ├── No issues ──► [Switch remaining rules to Block mode]

    └── Issues found ──► [Add exclusions, maintain Audit mode for affected rules]


                         [Re-evaluate after 2 weeks]

Workflow 2: Controlled Folder Access Deployment

[Enable Controlled Folder Access in Audit mode]


[Monitor Event ID 1124 for blocked write attempts]


[Categorize blocked applications]

    ├── Legitimate business app ──► [Add to allowed applications list]

    ├── Backup/sync software ──► [Add to allowed applications list]

    └── Unknown/suspicious ──► [Investigate, potentially malicious]


[Switch to Enabled (Block) mode]


[Add custom protected folders beyond defaults]


[Ongoing monitoring via M365 Defender dashboard]

Workflow 3: Defender Configuration Audit

[Quarterly Defender Configuration Review]


[Export current Defender settings from all endpoints]

    ├── PowerShell: Get-MpPreference | Export-Clixml
    ├── Intune: Endpoint security reports


[Compare against security baseline]

    ├── All settings match baseline ──► [Document compliance, next review]

    └── Drift detected ──► [Investigate cause]

                                ├── Unauthorized change ──► [Security incident, restore settings]

                                └── Authorized exception ──► [Document, update baseline]

Workflow 4: False Positive Handling

[User reports blocked application]


[Identify which Defender feature blocked it]

    ├── ASR rule ──► [Check ASR event log for specific rule GUID]
    │                     │
    │                     ▼
    │                [Create ASR exclusion for file/folder/process]

    ├── Controlled Folder ──► [Add application to allowed list]

    ├── Network Protection ──► [Review URL/domain, submit false positive to Microsoft]

    └── Real-time AV ──► [Submit file for analysis, create AV exclusion if clean]


[Deploy exclusion via Intune/GPO]


[Verify application works, document exclusion]

Scripts 2

agent.py5.0 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Windows Defender advanced configuration audit agent."""

import json
import argparse
import subprocess
from datetime import datetime


def get_defender_status():
    """Get Windows Defender status via PowerShell."""
    cmd = ["powershell", "-Command", "Get-MpComputerStatus | ConvertTo-Json"]
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        return json.loads(result.stdout) if result.stdout.strip() else {"error": "No output"}
    except (FileNotFoundError, json.JSONDecodeError, subprocess.TimeoutExpired) as e:
        return {"error": str(e)}


def get_defender_preferences():
    """Get Windows Defender preference settings."""
    cmd = ["powershell", "-Command", "Get-MpPreference | ConvertTo-Json"]
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        return json.loads(result.stdout) if result.stdout.strip() else {"error": "No output"}
    except (FileNotFoundError, json.JSONDecodeError, subprocess.TimeoutExpired) as e:
        return {"error": str(e)}


def audit_asr_rules():
    """Audit Attack Surface Reduction rules configuration."""
    cmd = ["powershell", "-Command",
           "Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids | ConvertTo-Json"]
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        rule_ids = json.loads(result.stdout) if result.stdout.strip() else []
    except (FileNotFoundError, json.JSONDecodeError):
        rule_ids = []
    critical_asr_rules = {
        "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550": "Block executable content from email and webmail",
        "d4f940ab-401b-4efc-aadc-ad5f3c50688a": "Block all Office applications from creating child processes",
        "3b576869-a4ec-4529-8536-b80a7769e899": "Block Office applications from creating executable content",
        "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84": "Block Office applications from injecting code",
        "d3e037e1-3eb8-44c8-a917-57927947596d": "Block JavaScript or VBScript from launching downloaded content",
        "5beb7efe-fd9a-4556-801d-275e5ffc04cc": "Block execution of potentially obfuscated scripts",
        "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b": "Block Win32 API calls from Office macros",
        "56a863a9-875e-4185-98a7-b882c64b5ce5": "Block abuse of exploited vulnerable signed drivers",
    }
    configured = set(rule_ids) if isinstance(rule_ids, list) else set()
    missing = []
    for rule_id, desc in critical_asr_rules.items():
        if rule_id not in configured:
            missing.append({"rule_id": rule_id, "description": desc, "severity": "HIGH"})
    return {"configured_count": len(configured), "missing_critical": missing}


def check_tamper_protection():
    """Check tamper protection status."""
    cmd = ["powershell", "-Command",
           "(Get-MpComputerStatus).IsTamperProtected"]
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
        enabled = "true" in result.stdout.strip().lower()
        return {"tamper_protection": enabled,
                "severity": "CRITICAL" if not enabled else "INFO"}
    except (FileNotFoundError, subprocess.TimeoutExpired):
        return {"error": "Cannot check tamper protection"}


def run_audit():
    """Execute Windows Defender audit."""
    print(f"\n{'='*60}")
    print(f"  WINDOWS DEFENDER ADVANCED SETTINGS AUDIT")
    print(f"  Generated: {datetime.utcnow().isoformat()} UTC")
    print(f"{'='*60}\n")

    status = get_defender_status()
    print(f"--- DEFENDER STATUS ---")
    if "error" not in status:
        print(f"  Real-time protection: {status.get('RealTimeProtectionEnabled', 'N/A')}")
        print(f"  Behavior monitoring: {status.get('BehaviorMonitorEnabled', 'N/A')}")
        print(f"  Cloud protection: {status.get('OnAccessProtectionEnabled', 'N/A')}")
        print(f"  Signature version: {status.get('AntivirusSignatureVersion', 'N/A')}")

    asr = audit_asr_rules()
    print(f"\n--- ASR RULES ---")
    print(f"  Configured: {asr['configured_count']}")
    print(f"  Missing critical: {len(asr['missing_critical'])}")
    for rule in asr["missing_critical"][:5]:
        print(f"    [{rule['severity']}] {rule['description']}")

    tamper = check_tamper_protection()
    print(f"\n--- TAMPER PROTECTION ---")
    print(f"  Enabled: {tamper.get('tamper_protection', 'N/A')}")

    return {"status": status, "asr": asr, "tamper": tamper}


def main():
    parser = argparse.ArgumentParser(description="Windows Defender Audit Agent")
    parser.add_argument("--audit", action="store_true", help="Run full audit")
    parser.add_argument("--output", help="Save report to JSON file")
    args = parser.parse_args()

    if args.audit:
        report = run_audit()
        if args.output:
            with open(args.output, "w") as f:
                json.dump(report, f, indent=2, default=str)
            print(f"\n[+] Report saved to {args.output}")
    else:
        parser.print_help()


if __name__ == "__main__":
    main()
process.py9.3 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Windows Defender Configuration Auditor

Collects and audits Microsoft Defender for Endpoint settings across endpoints,
identifies configuration gaps, and generates compliance reports.
"""

import json
import subprocess
import sys
import os
from datetime import datetime


RECOMMENDED_SETTINGS = {
    "RealTimeProtectionEnabled": True,
    "BehaviorMonitoringEnabled": True,
    "IoavProtectionEnabled": True,
    "AntispywareEnabled": True,
    "AntivirusEnabled": True,
    "MAPSReporting": 2,  # Advanced
    "SubmitSamplesConsent": 3,  # SendAllSamples
    "PUAProtection": 1,  # Enabled
    "DisableBlockAtFirstSeen": False,
    "CloudBlockLevel": 2,  # High
    "CloudExtendedTimeout": 50,
    "EnableNetworkProtection": 1,  # Enabled
    "EnableControlledFolderAccess": 1,  # Enabled
    "SignatureUpdateInterval": 1,  # Hourly
}

RECOMMENDED_ASR_RULES = {
    "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550": {"name": "Block executable content from email", "mode": 1},
    "D4F940AB-401B-4EFC-AADC-AD5F3C50688A": {"name": "Block Office child processes", "mode": 1},
    "3B576869-A4EC-4529-8536-B80A7769E899": {"name": "Block Office executable creation", "mode": 1},
    "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84": {"name": "Block Office code injection", "mode": 1},
    "D3E037E1-3EB8-44C8-A917-57927947596D": {"name": "Block JS/VBS launching executables", "mode": 1},
    "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC": {"name": "Block obfuscated scripts", "mode": 1},
    "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B": {"name": "Block Win32 API from macros", "mode": 1},
    "9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2": {"name": "Block LSASS credential stealing", "mode": 1},
    "D1E49AAC-8F56-4280-B9BA-993A6D77406C": {"name": "Block PSExec/WMI processes", "mode": 1},
    "B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4": {"name": "Block untrusted USB processes", "mode": 1},
    "E6DB77E5-3DF2-4CF1-B95A-636979351E5B": {"name": "Block WMI persistence", "mode": 1},
    "56A863A9-875E-4185-98A7-B882C64B5CE5": {"name": "Block vulnerable signed drivers", "mode": 1},
}


def collect_defender_settings() -> dict:
    """Collect current Defender settings via PowerShell."""
    ps_cmd = """
    $prefs = Get-MpPreference
    $status = Get-MpComputerStatus
    $result = @{
        Preferences = @{
            RealTimeProtectionEnabled = $prefs.DisableRealtimeMonitoring -eq $false
            BehaviorMonitoringEnabled = $prefs.DisableBehaviorMonitoring -eq $false
            IoavProtectionEnabled = $prefs.DisableIOAVProtection -eq $false
            AntispywareEnabled = $status.AntispywareEnabled
            AntivirusEnabled = $status.AntivirusEnabled
            MAPSReporting = $prefs.MAPSReporting
            SubmitSamplesConsent = $prefs.SubmitSamplesConsent
            PUAProtection = $prefs.PUAProtection
            DisableBlockAtFirstSeen = $prefs.DisableBlockAtFirstSeen
            CloudBlockLevel = $prefs.CloudBlockLevel
            CloudExtendedTimeout = $prefs.CloudExtendedTimeout
            EnableNetworkProtection = $prefs.EnableNetworkProtection
            EnableControlledFolderAccess = $prefs.EnableControlledFolderAccess
            SignatureUpdateInterval = $prefs.SignatureUpdateInterval
        }
        ASRRules = @{}
        Status = @{
            AMEngineVersion = $status.AMEngineVersion
            AMProductVersion = $status.AMProductVersion
            AntispywareSignatureVersion = $status.AntispywareSignatureVersion
            AntivirusSignatureVersion = $status.AntivirusSignatureVersion
            AntivirusSignatureLastUpdated = $status.AntivirusSignatureLastUpdated.ToString('o')
            FullScanEndTime = if($status.FullScanEndTime) { $status.FullScanEndTime.ToString('o') } else { 'Never' }
            QuickScanEndTime = if($status.QuickScanEndTime) { $status.QuickScanEndTime.ToString('o') } else { 'Never' }
            RealTimeProtectionEnabled = $status.RealTimeProtectionEnabled
            TamperProtectionSource = $status.IsTamperProtected
        }
    }
    $ids = $prefs.AttackSurfaceReductionRules_Ids
    $actions = $prefs.AttackSurfaceReductionRules_Actions
    if ($ids -and $actions) {
        for ($i=0; $i -lt $ids.Count; $i++) {
            $result.ASRRules[$ids[$i].ToString().ToUpper()] = $actions[$i]
        }
    }
    $result | ConvertTo-Json -Depth 3
    """

    try:
        result = subprocess.run(
            ["powershell", "-NoProfile", "-Command", ps_cmd],
            capture_output=True, text=True, timeout=30,
        )
        if result.returncode == 0 and result.stdout.strip():
            return json.loads(result.stdout)
        else:
            return {"error": result.stderr or "Failed to collect Defender settings"}
    except FileNotFoundError:
        return {"error": "PowerShell not available (requires Windows)"}
    except subprocess.TimeoutExpired:
        return {"error": "PowerShell command timed out"}
    except json.JSONDecodeError as e:
        return {"error": f"Failed to parse PowerShell output: {e}"}


def audit_settings(settings: dict) -> dict:
    """Audit collected settings against recommended baseline."""
    findings = {
        "compliant": [],
        "non_compliant": [],
        "asr_rules": {
            "enabled_block": [],
            "enabled_audit": [],
            "disabled": [],
            "missing": [],
        },
        "score": 0.0,
    }

    prefs = settings.get("Preferences", {})
    total_checks = 0
    passed_checks = 0

    for setting, expected in RECOMMENDED_SETTINGS.items():
        total_checks += 1
        actual = prefs.get(setting)

        if actual == expected:
            passed_checks += 1
            findings["compliant"].append({
                "setting": setting,
                "expected": expected,
                "actual": actual,
            })
        else:
            findings["non_compliant"].append({
                "setting": setting,
                "expected": expected,
                "actual": actual,
                "severity": "high" if setting in (
                    "RealTimeProtectionEnabled", "AntivirusEnabled",
                    "EnableNetworkProtection", "MAPSReporting",
                ) else "medium",
            })

    asr_rules = settings.get("ASRRules", {})
    for rule_guid, rule_info in RECOMMENDED_ASR_RULES.items():
        total_checks += 1
        mode = asr_rules.get(rule_guid)

        if mode == 1:
            passed_checks += 1
            findings["asr_rules"]["enabled_block"].append({
                "guid": rule_guid, "name": rule_info["name"],
            })
        elif mode == 2:
            findings["asr_rules"]["enabled_audit"].append({
                "guid": rule_guid, "name": rule_info["name"],
            })
        elif mode == 0:
            findings["asr_rules"]["disabled"].append({
                "guid": rule_guid, "name": rule_info["name"],
            })
        else:
            findings["asr_rules"]["missing"].append({
                "guid": rule_guid, "name": rule_info["name"],
            })

    if total_checks > 0:
        findings["score"] = round((passed_checks / total_checks) * 100, 2)

    return findings


def generate_report(settings: dict, findings: dict, output_path: str) -> None:
    """Generate configuration audit report."""
    report = {
        "report_generated": datetime.utcnow().isoformat() + "Z",
        "defender_status": settings.get("Status", {}),
        "compliance_score": findings["score"],
        "total_compliant": len(findings["compliant"]),
        "total_non_compliant": len(findings["non_compliant"]),
        "asr_summary": {
            "block_mode": len(findings["asr_rules"]["enabled_block"]),
            "audit_mode": len(findings["asr_rules"]["enabled_audit"]),
            "disabled": len(findings["asr_rules"]["disabled"]),
            "not_configured": len(findings["asr_rules"]["missing"]),
        },
        "non_compliant_settings": findings["non_compliant"],
        "asr_details": findings["asr_rules"],
    }

    with open(output_path, "w", encoding="utf-8") as f:
        json.dump(report, f, indent=2)


if __name__ == "__main__":
    output_dir = sys.argv[1] if len(sys.argv) > 1 else "."

    print("Collecting Microsoft Defender settings...")
    settings = collect_defender_settings()

    if "error" in settings:
        print(f"Error: {settings['error']}")
        print("This tool requires Windows with Microsoft Defender for Endpoint.")
        sys.exit(1)

    print("Auditing against recommended baseline...")
    findings = audit_settings(settings)

    report_path = os.path.join(output_dir, "defender_audit_report.json")
    generate_report(settings, findings, report_path)
    print(f"Audit report: {report_path}")

    print(f"\n--- Defender Configuration Audit ---")
    print(f"Compliance Score: {findings['score']}%")
    print(f"Compliant settings: {len(findings['compliant'])}")
    print(f"Non-compliant: {len(findings['non_compliant'])}")
    print(f"\nASR Rules:")
    print(f"  Block mode: {len(findings['asr_rules']['enabled_block'])}")
    print(f"  Audit mode: {len(findings['asr_rules']['enabled_audit'])}")
    print(f"  Disabled: {len(findings['asr_rules']['disabled'])}")
    print(f"  Not configured: {len(findings['asr_rules']['missing'])}")

    if findings["non_compliant"]:
        print(f"\nNon-compliant settings requiring remediation:")
        for item in findings["non_compliant"]:
            print(f"  [{item['severity'].upper()}] {item['setting']}: expected={item['expected']}, actual={item['actual']}")

Assets 1

template.mdtext/markdown · 2.6 KB
Keep exploring