Windows Defender Exploit-Guard Configuration

This Script provides:

• Configure Windows Defender Exploit-Guard by using PowerShell
• Reset all ProcessMitigations to get a clean (unconfigured) state
• Import clean Default-Configuration shipped with the OS
• Import clean recommended Baseline Configuration
• Configure Attack Surface Reduction and check actual Configuration of ASR

What's the Problem?

Windows 10 v1709 (RS3) includes Windows Defender ExploitGuard (Windows Defender EG), the successor of EMET. There are two powershell commandlets Get-ProcessMitigation and Set-ProcessMitigation for Configuring the Exploit-Guard Configuration by using scripts, but currently in Windows 10 v1709 (RS3) there are following bugs and a lack of functionality:

• Get-ProcessMitigation commandlet does not list these executables configured by full-path, only lists those which are defined by plain executable-names without path
• Set-ProcessMitigation commandlet has no functionality to delete a configured process-mitigation or to delete all configured per-process-mitigations like the EMET-Commandline-Tool EMET_Conf --delete <path to executable> or EMET_Conf --delete_apps or EMET_Conf --delete_all provided
• Additionaly in the current (tested 26.01.2018) InsiderBuild of Win10 RS4 (v1803) there is a default process-mitigation for CameraBarcodeScannerPreview.exe with Registry-Permissions only for TrustedInstaller (SYSTEM or Administrator have no rights to modify these, this leads to Exceptions / Errors)

The Solution:

PowerShell-Script Remove-all-ProcessMitigations.ps1

• Removes all currently configured ProcessMitigations
• Can handle such ProcessMitigations that are configured by plain Executable-Names like notepad.exe as well as full-path Configurations like C:\Windows\system32\notepad.exe
• Can handle Configurations which are unmodifyable by Administrators because ACLs are set to TrustedInstaller by Taking Ownership and resetting the ACLs to defaults (Inherited ACLs)

Demonstration of the Output:

PS C:\Temp> .\Remove-all-ProcessMitigations.ps1

Removing MitigationOptions for:       AcroRd32.exe
Removing MitigationAuditOptions for:  AcroRd32.exe
Removing MitigationOptions for:       AcroRd32Info.exe
Removing MitigationAuditOptions for:  AcroRd32Info.exe
Removing MitigationOptions for:       iexplore.exe
Removing MitigationAuditOptions for:  iexplore.exe
Removing FullPathEntry:               notepad.exe - C:\Windows\SysWOW64\notepad.exe
Removing FullPathEntry:               notepad.exe - C:\Windows\notepad.exe
Removing FullPathEntry:               notepad.exe - C:\Windows\System32\notepad.exe
Removing empty Entry:                 notepad.exe
Removing MitigationOptions for:       PresentationHost.exe
Removing MitigationAuditOptions for:  PresentationHost.exe
Removing empty Entry:                 PresentationHost.exe
...

PowerShell-Script Windows10_ExploitGuard-Config.ps1

• uses Remove-all-ProcessMitigations.ps1 to remove the Configuration
• Sets the System-Configuration of Exploit-Guard to default
• Imports the Exploit-Guard Default-Settings of Windows 10 v1703 which are provided by Windows10-v1709_ExploitGuard-DefaultSettings.xml
• Imports the recommended Baseline-Settings for Windows 10 v1703 which are provided by Windows10-v1709_ExploitGuard-Security-Baseline.xml

Source of the XML-Files

• Windows10-v1709_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1709 Machine
• Windows10-v1803_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1803 Machine
• Windows10-v1809_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1809 Machine
• Windows10-v1903_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1903 Machine
• Windows10-v1909_ExploitGuard-DefaultSettings.xml is taken from a fresh Windows 10 v1909 Machine (but no Changes to v1903)
• Windows10-v1709_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1709 Baseline
• Windows10-v1803_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1803 Baseline
• Windows10-v1809_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1809 Baseline
• Windows10-v1903_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1903 Baseline
• Windows10-v1909_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v1909 Baseline
• Windows10-v2004_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v2004 Baseline
• Windows10-v2009_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v20H2 Baseline
• Windows10-v2104_ExploitGuard-Security-Baseline.xml is taken from the official Microsoft v21H1 Baseline
• Security Baselines and Exploit-Guard Default-Settings of Windows 10 v1909, v2004, v20H2 seem to be identically (no difference)

Further Information

• See my Blog-Post (in German Language)

Links

• Documentation of Exploit-Guard
• EMET - Enhanced Mitigation Experience Toolkit

WD - Exploit Guard - Attack Surface Reduction Rules

• Enable-ExploitGuard-AttackSurfaceReduction.ps1 - Script for Configuring ASR
• Further Information on this See my Blog-Post (in German Language)
• Demo-Output:

Checking current System Configuration for configured Attack surface reduction rules (and comparing to new desired Mode):

GUID                                 Description                                                                                      CurrentMode DesiredMode
----                                 -----------                                                                                      ----------- -----------
01443614-cd74-433a-b99e-2ecdc07bfc25 Block executable files from running unless they meet a prevalence, age, or trusted list criteria Disabled    Disabled
3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from creating executable content                                       Enabled     Enabled
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block execution of potentially obfuscated scripts                                                Enabled     Enabled
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office applications from injecting code into other processes                               Enabled     Enabled
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from Office macro                                                          Enabled     Enabled
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe)        Disabled    Disabled
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB                                         AuditMode   AuditMode
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email client and webmail                                           Enabled     Enabled
c1db55ab-c21a-4637-bb3f-a12568109d35 Use advanced protection against ransomware                                                       Disabled    Disabled
d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands                                 AuditMode   AuditMode
D3E037E1-3EB8-44C8-A917-57927947596D Block JavaScript or VBScript from launching downloaded executable content                        Enabled     Enabled
D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating child processes                                          Enabled     Enabled


Enabling Windows Defender Exploit Guard Attack surface reduction rules

GUID                                 Description                                                                                      Mode
----                                 -----------                                                                                      ----
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email client and webmail                                           Enabled
D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating child processes                                          Enabled
3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from creating executable content                                       Enabled
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office applications from injecting code into other processes                               Enabled
D3E037E1-3EB8-44C8-A917-57927947596D Block JavaScript or VBScript from launching downloaded executable content                        Enabled
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block execution of potentially obfuscated scripts                                                Enabled
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from Office macro                                                          Enabled
01443614-cd74-433a-b99e-2ecdc07bfc25 Block executable files from running unless they meet a prevalence, age, or trusted list criteria Disabled
c1db55ab-c21a-4637-bb3f-a12568109d35 Use advanced protection against ransomware                                                       Disabled
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe)        Disabled
d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands                                 AuditMode
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB                                         AuditMode