ΠΠΎΠ»Π½ΠΎΡΠ΅Π½Π½ΡΠΉ ΡΠ°Π±ΠΎΡΠΈΠΉ ΠΊΠΎΠΌΠΏΠ»Π΅ΠΊΡ Π΄Π»Ρ ΡΠ΅Ρ , ΠΊΡΠΎ Π·Π°ΡΠΈΡΠ°Π΅Ρ ΠΏΠ΅ΡΠΈΠΌΠ΅ΡΡ: Π²Π°Π»ΠΈΠ΄ΠΈΡΠΎΠ²Π°Π½Π½ΡΠ΅ XML-ΡΠ°Π±Π»ΠΎΠ½Ρ, PowerShell-ΡΠΊΡΠΈΠΏΡΡ Ρ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΎΠΉ ΠΎΡΠΈΠ±ΠΎΠΊ, KQL-Π·Π°ΠΏΡΠΎΡΡ Π΄Π»Ρ Sentinel ΠΈ ΡΠ΅Π°Π»ΡΠ½ΡΠ΅ ΡΡΠ΅Π½Π°ΡΠΈΠΈ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ Π°ΡΠ°ΠΊ. ΠΡΡ, ΡΡΠΎ Π½ΡΠΆΠ½ΠΎ Π΄Π»Ρ Π²Π½Π΅Π΄ΡΠ΅Π½ΠΈΡ enterprise-Π·Π°ΡΠΈΡΡ Π±Π΅Π· Π»ΠΈΡΠ½Π΅Π³ΠΎ ΡΡΠΌΠ°. π―
π ΠΠ»Π°ΡΡΠΎΡΠΌΠ°: Windows 11 24H2 | Defender Platform 4.18.26040.7+ | Sentinel/Intune
β οΈ ΠΡΠ΄ΠΈΡ ΠΎΠ±ΡΠ·Π°ΡΠ΅Π»Π΅Π½ ΠΏΠ΅ΡΠ΅Π΄ Block mode. Π‘ΠΊΡΠΈΠΏΡΡ ΡΡΠ΅Π±ΡΡΡ ΠΏΡΠ°Π² SYSTEM ΠΈΠ»ΠΈ Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎΠ³ΠΎ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡΠ° + SeSecurityPrivilege.
ποΈ ΠΡΡ ΠΈΡΠ΅ΠΊΡΡΡΠ° ΠΈ ΠΏΡΠΈΠ½ΡΠΈΠΏΡ ΡΠ°Π±ΠΎΡΡ
βββββββββββββββββββββββββββββββββ
β ΠΡΠ°ΠΊΠ° β ΠΠ΅ΠΊΡΠΎΡ β ΠΠ»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠ° ASR/AppLocker β
βββββββββββββββββββββββββββββββββ€
β π ΠΠ°ΠΊΡΠΎΡΡ ΠΈΠ· Office β Block office macros β
β β‘ PowerShell ΠΈΠ· WScript β Block script exec β
β π LSASS dump β Block credential stealing β
β π Safe Mode reboot β Block safe mode (2026) β
β π Copied sysinternals β Block impersonation β
βββββββββββββββββββββββββββββββββ
ΠΠ»ΡΡΠ΅Π²ΡΠ΅ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΡ:
- ASR-Π΄Π²ΠΈΠΆΠΎΠΊ β ΠΏΠΎΠ²Π΅Π΄Π΅Π½ΡΠ΅ΡΠΊΠΈΠΉ Π°Π½Π°Π»ΠΈΠ· Π² ΡΠ΅Π°Π»ΡΠ½ΠΎΠΌ Π²ΡΠ΅ΠΌΠ΅Π½ΠΈ, ΠΈΠ½ΡΠ΅Π³ΡΠΈΡΠΎΠ²Π°Π½ Ρ Defender Antivirus
- AppLocker β ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π·Π°ΠΏΡΡΠΊΠ° ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΠΏΡΡΠΈ/Ρ ΡΡΠ°/ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°
- Event Channel β Microsoft-Windows-Windows Defender/Operational (ID 1121/1122)
- Π£ΠΏΡΠ°Π²Π»Π΅Π½ΠΈΠ΅ β Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎ (PowerShell/ΡΠ΅Π΅ΡΡΡ), ΡΠ΅ΡΠ΅Π· GPO, ΡΠ΅ΡΠ΅Π· Intune (OMA-URI)
β οΈ ΠΡΠΈΡΠΈΡΠ½ΡΠ΅ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ 2026:
ΠΡΠ°Π²ΠΈΠ»ΠΎ Block credential stealing from LSASS Π½Π΅ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅Ρ ΡΠ΅ΠΆΠΈΠΌ Warn β ΡΠΎΠ»ΡΠΊΠΎ Audit β Block
ΠΡΠ°Π²ΠΈΠ»ΠΎ Block executable files... ΡΡΠ΅Π±ΡΠ΅Ρ Π²ΠΊΠ»ΡΡΡΠ½Π½ΠΎΠΉ Cloud-delivered protection
AppLocker + Constrained Language Mode Π² Win11 24H2 ΠΌΠΎΠ³ΡΡ ΠΊΠΎΠ½ΡΠ»ΠΈΠΊΡΠΎΠ²Π°ΡΡ β ΡΠ΅ΡΡΠΈΡΡΠΉΡΠ΅ Π½Π° ΠΏΠΈΠ»ΠΎΡΠ΅
ΠΡΠ°Π²ΠΈΠ»ΠΎ Block rebooting machine in Safe Mode Π½Π΅ Π±Π»ΠΎΠΊΠΈΡΡΠ΅Ρ ΡΡΡΠ½ΠΎΠΉ Π²Ρ ΠΎΠ΄ ΡΠ΅ΡΠ΅Π· Windows Recovery Environment
π ΠΠ°ΡΡΠΎΠΌΠ½ΡΠ΅ XML-ΠΏΡΠ°Π²ΠΈΠ»Π° AppLocker (Production-ready)
πΉ ΠΠ°Π·ΠΎΠ²ΡΠΉ ΡΠ°Π±Π»ΠΎΠ½ Ρ ΠΈΡΠΊΠ»ΡΡΠ΅Π½ΠΈΡΠΌΠΈ Π΄Π»Ρ Π»Π΅Π³ΠΈΡΠΈΠΌΠ½ΡΡ ΠΏΡΠΎΡΠ΅ΡΡΠΎΠ²
<?xml version="1.0" encoding="utf-8"?>
<AppLockerPolicy Version="1" xmlns="http://schemas.microsoft.com/applocker/2010/09/rules">
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<!-- β Π Π°Π·ΡΠ΅ΡΠΈΡΡ Π²ΡΡ ΠΈΠ· Program Files ΠΈ Windows -->
<FilePublisherRule Id="allow-microsoft-signed" Name="Allow Microsoft Signed Binaries"
Description="Trusted Microsoft publishers" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<!-- β Π Π°Π·ΡΠ΅ΡΠΈΡΡ Π²ΡΡΡΠΎΠ΅Π½Π½ΡΠ΅ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΡ Win11 24H2 -->
<FilePathRule Id="allow-win11-builtins" Name="Allow Win11 24H2 Built-in Apps"
Description="Prevent false positives on Notepad, Terminal, Teams" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%ProgramFiles%\WindowsApps\Microsoft.WindowsNotepad_*" />
<FilePathCondition Path="%ProgramFiles%\WindowsApps\Microsoft.WindowsTerminal_*" />
<FilePathCondition Path="%LocalAppData%\Microsoft\Teams\*" />
<FilePathCondition Path="%ProgramFiles%\dotnet\*" />
</Conditions>
</FilePathRule>
<!-- β ΠΠ°ΠΏΡΠ΅ΡΠΈΡΡ Π·Π°ΠΏΡΡΠΊ ΠΈΠ· ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»ΡΡΠΊΠΈΡ ΠΏΠ°ΠΏΠΎΠΊ -->
<FilePathRule Id="block-user-exec" Name="Block Execution from User Folders"
Description="Prevent malware execution from profile/temp" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%USERPROFILE%\Downloads\*" />
<FilePathCondition Path="%USERPROFILE%\Desktop\*" />
<FilePathCondition Path="%TEMP%\*" />
<FilePathCondition Path="C:\Users\Public\*" />
</Conditions>
<Exceptions>
<FilePathCondition Path="%USERPROFILE%\Downloads\CompanyApprovedInstallers\*" />
</Exceptions>
</FilePathRule>
</RuleCollection>
<!-- πΉ DLL Rules (ΠΎΠΏΡΠΈΠΎΠ½Π°Π»ΡΠ½ΠΎ) -->
<RuleCollection Type="Dll" EnforcementMode="AuditOnly">
<FilePublisherRule Id="allow-dll-microsoft" Name="Allow Microsoft DLLs" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
πΉ ΠΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ Ρ Π²Π°Π»ΠΈΠ΄Π°ΡΠΈΠ΅ΠΉ ΠΈ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ
<#
.SYNOPSIS: Deploy AppLocker policy with validation and rollback
.REQUIRES: SYSTEM or local admin + SeSecurityPrivilege
#>
param(
[Parameter(Mandatory=$true)][string]$PolicyPath,
[Parameter(Mandatory=$false)][string]$LogPath = "C:\Logs\AppLocker_Deploy.log",
[Parameter(Mandatory=$false)][switch]$WhatIf
)
function Write-Log {
param([string]$Message, [string]$Level = "INFO")
$Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$Entry = "[$Timestamp] [$Level] $Message"
Add-Content -Path $LogPath -Value $Entry -Force
if ($Level -eq "ERROR") { Write-Error $Message } else { Write-Host $Entry }
}
$CurrentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $CurrentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Log "Π’ΡΠ΅Π±ΡΠ΅ΡΡΡ Π·Π°ΠΏΡΡΠΊ ΠΎΡ ΠΈΠΌΠ΅Π½ΠΈ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡΠ° ΠΈΠ»ΠΈ SYSTEM" "ERROR"
exit 1
}
if (-not (Test-Path $PolicyPath)) {
Write-Log "Policy file not found: $PolicyPath" "ERROR"
exit 1
}
try {
$PolicyXml = Get-Content $PolicyPath -Raw -ErrorAction Stop
[xml]$XmlDoc = $PolicyXml
if ($WhatIf) {
Write-Log "[WHATIF] Policy validation passed. No changes applied." "INFO"
exit 0
}
$BackupPath = "C:\Backups\AppLocker_$(Get-Date -Format 'yyyyMMdd_HHmmss').xml"
Export-AppLockerPolicy -Xml -FilterType Publish | Out-File $BackupPath -Encoding UTF8
Write-Log "Backup created: $BackupPath" "INFO"
Set-AppLockerPolicy -XmlPolicy $PolicyXml -Merge -ErrorAction Stop
Write-Log "Policy deployed successfully from: $PolicyPath" "INFO"
gpupdate /force /target:computer | Out-Null
} catch {
Write-Log "Deployment failed: $($_.Exception.Message)" "ERROR"
if (Test-Path $BackupPath) {
Set-AppLockerPolicy -XmlPolicy (Get-Content $BackupPath -Raw) -Merge -ErrorAction SilentlyContinue
Write-Log "Auto-rollback completed from: $BackupPath" "WARN"
}
exit 1
}
π― ASR-ΠΏΡΠ°Π²ΠΈΠ»Π°: ΠΏΠΎΠ»Π½ΡΠΉ ΡΠΏΠΈΡΠΎΠΊ Ρ ΠΏΡΠΈΠΎΡΠΈΡΠ΅ΡΠ°ΠΌΠΈ Π²Π½Π΅Π΄ΡΠ΅Π½ΠΈΡ
ΠΡΡΠΎΠΊΠΈΠΉ ΠΏΡΠΈΠΎΡΠΈΡΠ΅Ρ
- π Block Office apps from creating executable content β GUID: 3b576869-a4ec-4529-8536-b80a7769e899 β Π Π΅ΠΆΠΈΠΌ: Block β Π‘ΡΠ°Π½Π΄Π°ΡΡΠ½ΠΎΠ΅, Π½ΠΈΠ·ΠΊΠΈΠΉ ΡΡΠΌ
- β‘ Block execution of potentially obfuscated scripts β GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc β Π Π΅ΠΆΠΈΠΌ: Block β Π‘ΡΠ°Π½Π΄Π°ΡΡΠ½ΠΎΠ΅
- π Block JavaScript or VBScript from launching downloaded executable content β GUID: d3e037e1-3eb8-44c8-a917-57927947596d β Π Π΅ΠΆΠΈΠΌ: Block β Π‘ΡΠ°Π½Π΄Π°ΡΡΠ½ΠΎΠ΅
Π‘ΡΠ΅Π΄Π½ΠΈΠΉ ΠΏΡΠΈΠΎΡΠΈΡΠ΅Ρ
- π Block executable files from running unless they meet prevalence, age, or trusted list criterion β GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 β Π Π΅ΠΆΠΈΠΌ: Audit β Block β β οΈ Π’ΡΠ΅Π±ΡΠ΅Ρ Cloud-delivered protection
- π Block process creations originating from PSExec and WMI commands β GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c β Π Π΅ΠΆΠΈΠΌ: Audit β Block β Π’Π΅ΡΡΠΈΡΠΎΠ²Π°ΡΡ 7 Π΄Π½Π΅ΠΉ
- π Block use of copied or impersonated system tools (2026) β GUID: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb β Π Π΅ΠΆΠΈΠΌ: Block β β οΈ ΠΠ΅ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅Ρ Warn
ΠΠΈΠ·ΠΊΠΈΠΉ ΠΏΡΠΈΠΎΡΠΈΡΠ΅Ρ
- π Block rebooting machine in Safe Mode (2026) β GUID: 33ddedf1-c6e0-47cb-833e-de6133960387 β Π Π΅ΠΆΠΈΠΌ: Block β β οΈ ΠΠ΅ Π±Π»ΠΎΠΊΠΈΡΡΠ΅Ρ ΡΡΡΠ½ΠΎΠΉ Π²Ρ ΠΎΠ΄ ΡΠ΅ΡΠ΅Π· WinRE
β οΈ ΠΡΠΎΠ±ΡΠΉ ΡΠ΅ΠΆΠΈΠΌ
- π Block credential stealing from the Windows local security authority subsystem (lsass.exe) β GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 β Π Π΅ΠΆΠΈΠΌ: Block β β οΈ ΠΠ΅ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅Ρ Warn; Π²ΡΡΠΎΠΊΠΈΠΉ ΡΡΠΌ Π°ΡΠ΄ΠΈΡΠ°
π‘ ΠΠ°ΠΆΠ½ΠΎ: ΠΡΠ°Π²ΠΈΠ»Π° Ρ ΠΏΠΎΠΌΠ΅ΡΠΊΠΎΠΉ Β«ΠΠ΅ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅Ρ WarnΒ» Π½Π΅Π»ΡΠ·Ρ ΠΏΡΠΎΡΠ΅ΡΡΠΈΡΠΎΠ²Π°ΡΡ Π² ΡΠ΅ΠΆΠΈΠΌΠ΅ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡ β ΡΠΎΠ»ΡΠΊΠΎ Audit β Block.
βοΈ PowerShell-ΡΠΊΡΠΈΠΏΡΡ: ΡΠ±ΠΎΡ, Π°Π½Π°Π»ΠΈΠ·, ΠΎΡΠΊΠ°Ρ
πΉ Π‘Π±ΠΎΡ ΡΠΎΠ±ΡΡΠΈΠΉ ASR (1121/1122) Ρ ΡΠΈΠ»ΡΡΡΠ°ΡΠΈΠ΅ΠΉ ΠΈ ΡΠΊΡΠΏΠΎΡΡΠΎΠΌ
<#
.SYNOPSIS: Π‘Π±ΠΎΡ ΠΈ ΡΠΊΡΠΏΠΎΡΡ ΡΠΎΠ±ΡΡΠΈΠΉ ASR Π΄Π»Ρ SIEM-ΠΈΠ½ΡΠ΅Π³ΡΠ°ΡΠΈΠΈ
.REQUIRES: SYSTEM or local admin + SeSecurityPrivilege
.OUTPUT: JSON Ρ Π²Π°Π»ΠΈΠ΄Π½ΠΎΠΉ ΡΡ Π΅ΠΌΠΎΠΉ Π΄Π»Ρ Sentinel ingestion
#>
param(
[int]$HoursBack = 24,
[string]$OutputPath = "C:\Logs\ASR_Export_$(Get-Date -Format 'yyyyMMdd_HHmmss').json",
[string]$SIEMEndpoint = $null,
[string]$SIEMToken = $null
)
$CurrentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $CurrentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Error "Π’ΡΠ΅Π±ΡΠ΅ΡΡΡ Π·Π°ΠΏΡΡΠΊ ΠΎΡ ΠΈΠΌΠ΅Π½ΠΈ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡΠ° ΠΈΠ»ΠΈ SYSTEM"
exit 1
}
$StartTime = (Get-Date).AddHours(-$HoursBack).ToUniversalTime()
$LogName = 'Microsoft-Windows-Windows Defender/Operational'
try {
$Events = Get-WinEvent -FilterHashtable @{
LogName = $LogName
ID = 1121, 1122
StartTime = $StartTime
} -ErrorAction Stop | ForEach-Object {
$Xml = [xml]$_.ToXml()
$EventData = $Xml.Event.EventData.Data
[PSCustomObject]@{
time = $_.TimeCreated.ToUniversalTime().ToString('o')
computer = $env:COMPUTERNAME
event_id = $_.Id
action = if ($_.Id -eq 1121) { 'block' } else { 'audit' }
rule_name = $EventData[0].'#text'
rule_guid = $EventData[1].'#text'
process_path = $EventData[2].'#text'
user_sid = $EventData[3].'#text'
user_name = try { (New-Object System.Security.Principal.SecurityIdentifier($EventData[3].'#text')).Translate([System.Security.Principal.NTAccount]).Value } catch { 'UNKNOWN' }
sha256 = if ($EventData.Count -gt 4) { $EventData[4].'#text' } else { $null }
custom_fields = @{
source_script = $MyInvocation.MyCommand.Name
collection_time = (Get-Date).ToUniversalTime().ToString('o')
}
}
}
} catch {
Write-Error "Failed to query events: $($_.Exception.Message)"
exit 1
}
$ExportData = @{
schema_version = "1.0"
source = "Defender-ASR-Collector"
records = $Events
} | ConvertTo-Json -Depth 10 -Compress
$ExportData | Out-File $OutputPath -Encoding UTF8 -Force
Write-Host "[$(Get-Date)] Exported $($Events.Count) events to $OutputPath"
if ($SIEMEndpoint -and $SIEMToken) {
try {
Invoke-RestMethod -Uri $SIEMEndpoint -Method Post -Body $ExportData `
-ContentType 'application/json' -Headers @{ "Authorization" = "Bearer $SIEMToken" } `
-TimeoutSec 30 -ErrorAction Stop
Write-Host "[$(Get-Date)] Sent to SIEM successfully"
} catch {
Write-Warning "Failed to send to SIEM: $($_.Exception.Message)"
$QueuePath = $OutputPath -replace '\.json$', '.pending'
$ExportData | Out-File $QueuePath -Encoding UTF8 -Force
}
}
πΉ ΠΠ°ΡΡΠΎΠ²Π°Ρ Π½Π°ΡΡΡΠΎΠΉΠΊΠ° ASR-ΠΏΡΠ°Π²ΠΈΠ» ΡΠ΅ΡΠ΅Π· ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΡΠΉ ΡΠ°ΠΉΠ»
<#
.SYNOPSIS: ΠΠ°ΡΡΠΎΠ²ΠΎΠ΅ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ ASR-ΠΏΡΠ°Π²ΠΈΠ» ΠΈΠ· JSON-ΠΊΠΎΠ½ΡΠΈΠ³Π°
.MODES: 0=Off, 1=Block, 2=Audit, 5=Not Configured, 6=Warn
.NOTE: ΠΡΠ°Π²ΠΈΠ»Π° Π±Π΅Π· ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠΈ Warn Π±ΡΠ΄ΡΡ ΠΏΡΠΎΠΏΡΡΠ΅Π½Ρ ΠΏΡΠΈ mode=6
#>
param(
[Parameter(Mandatory=$true)][string]$ConfigPath,
[switch]$DryRun
)
$Config = Get-Content $ConfigPath -Raw | ConvertFrom-Json
$ValidModes = @(0,1,2,5,6)
$NoWarnRules = @(
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
'33ddedf1-c6e0-47cb-833e-de6133960387'
)
foreach ($Rule in $Config.rules) {
if ($Rule.guid -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$') {
Write-Warning "Invalid GUID format: $($Rule.guid)"
continue
}
if ($Rule.mode -notin $ValidModes) {
Write-Warning "Invalid mode for $($Rule.guid): $($Rule.mode)"
continue
}
if ($Rule.mode -eq 6 -and $Rule.guid -in $NoWarnRules) {
Write-Warning "Rule $($Rule.guid) does not support Warn mode. Skipping."
continue
}
if ($Rule.guid -eq '01443614-cd74-433a-b99e-2ecdc07bfc25') {
$CloudEnabled = (Get-MpPreference).CloudBlockLevel -ne 'Off'
if (-not $CloudEnabled -and $Rule.mode -eq 1) {
Write-Warning "Rule $($Rule.guid) requires Cloud-delivered protection"
}
}
if ($DryRun) {
Write-Host "[DRYRUN] Would set rule $($Rule.guid) to mode $($Rule.mode)" -ForegroundColor Yellow
continue
}
try {
Set-MpPreference -AttackSurfaceReductionRules_Ids $Rule.guid `
-AttackSurfaceReductionRules_Actions $Rule.mode `
-ErrorAction Stop
Write-Host "[OK] Applied rule $($Rule.guid) = $($Rule.mode)" -ForegroundColor Green
} catch {
Write-Error "Failed to apply rule $($Rule.guid): $($_.Exception.Message)"
}
}
π ΠΡΠΈΠΌΠ΅Ρ ΠΊΠΎΠ½ΡΠΈΠ³Π° asr_config.json:
{
"description": "ASR baseline for production - Phase 1",
"rules": [
{ "guid": "3b576869-a4ec-4529-8536-b80a7769e899", "mode": 1, "comment": "Block Office macros" },
{ "guid": "5beb7efe-fd9a-4556-801d-275e5ffc04cc", "mode": 1, "comment": "Block obfuscated scripts" },
{ "guid": "d3e037e1-3eb8-44c8-a917-57927947596d", "mode": 2, "comment": "Audit JS/VBS download exec" },
{ "guid": "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2", "mode": 1, "comment": "Block LSASS steal (no Warn)" }
]
}
βοΈ ΠΠ½ΡΠ΅Π³ΡΠ°ΡΠΈΡ Ρ Sentinel: Schema + KQL + Alert Rules
πΉ Schema Mapping Π΄Π»Ρ Custom Table DefenderASR_CL
.create table DefenderASR_CL (
time: datetime,
computer: string,
event_id: int,
action: string,
rule_name: string,
rule_guid: string,
process_path: string,
user_sid: string,
user_name: string,
sha256: string,
custom_fields: dynamic
)
πΉ KQL-Π·Π°ΠΏΡΠΎΡΡ Π΄Π»Ρ Π΄Π΅ΡΠ΅ΠΊΡΠΈΠΈ ΠΈ ΡΠ°ΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΡ
// π ΠΠ°ΠΏΡΠΎΡ 1: ΠΠ°ΡΡΠΎΠ²ΡΠ΅ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΠΎΠ΄Π½ΠΎΠ³ΠΎ ΠΏΡΠΎΡΠ΅ΡΡΠ° (Π°Π½ΠΎΠΌΠ°Π»ΠΈΡ)
DefenderASR_CL
| where action == 'block'
| summarize
BlockCount = count(),
Users = dcount(user_name),
Computers = dcount(computer),
FirstSeen = min(time),
LastSeen = max(time)
by process_path, rule_guid, rule_name
| where BlockCount > 10 or Users > 5 or Computers > 3
| extend RiskScore = case(
BlockCount > 50, 95,
BlockCount > 20 and Users > 10, 85,
Computers > 5, 75,
50
)
| project TimeGenerated = LastSeen, computer, process_path, rule_name, BlockCount, Users, Computers, RiskScore
| order by RiskScore desc, BlockCount desc
-------------------------------------------------
// π ΠΠ°ΠΏΡΠΎΡ 2: ΠΠΎΠΈΡΠΊ ΠΏΠΎΠΏΡΡΠΎΠΊ ΠΎΠ±Ρ ΠΎΠ΄Π° ΡΠ΅ΡΠ΅Π· ΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠΈΡΡΠ΅ΠΌΠ½ΡΡ ΡΡΠΈΠ»ΠΈΡ
DefenderASR_CL
| where rule_guid == 'c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb'
| extend FileName = extract(@'\\([^\\]+)$', 1, process_path)
| where FileName matches regex @"(?i)(psexec|procdump|mimikatz|bloodhound|adconnectdump)"
| summarize Attempts = count(), UniqueUsers = dcount(user_name) by computer, FileName
| where Attempts > 3
| project TimeGenerated = now(), computer, FileName, Attempts, UniqueUsers
-------------------------------------------------
// π ΠΠ°ΠΏΡΠΎΡ 3: ΠΠΎΡΡΠ΅Π»ΡΡΠΈΡ Ρ Π΄ΡΡΠ³ΠΈΠΌΠΈ ΡΠΎΠ±ΡΡΠΈΡΠΌΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ
DefenderASR_CL
| where action == 'block'
| join kind=inner (
SecurityEvent
| where EventID in (4688, 4624, 4625)
| extend ProcessName = extract(@'\\([^\\]+)$', 1, ProcessName)
) on $left.computer == $right.Computer, $left.user_sid == $right.SubjectUserSid
| where datetime_diff('minute', DefenderASR_CL.time, SecurityEvent.TimeGenerated) between (-5 .. 5)
| summarize
ASR_Blocks = countif(DefenderASR_CL.action == 'block'),
LogonFailures = countif(SecurityEvent.EventID == 4625),
Processes = make_set(SecurityEvent.ProcessName)
by DefenderASR_CL.computer, DefenderASR_CL.user_name
| where ASR_Blocks > 5 or LogonFailures > 10
πΉ Alert Rule Π΄Π»Ρ Sentinel (JSON-ΡΠΊΡΠΏΠΎΡΡ)
{
"name": "ASR_Mass_Block_Anomaly",
"description": "Detects mass blocking of a single process across multiple users/computers",
"query": "// ΠΡΡΠ°Π²ΠΈΡΡ KQL ΠΈΠ· ΠΠ°ΠΏΡΠΎΡΠ° 1 Π²ΡΡΠ΅",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"severity": "Medium",
"tactics": ["DefenseEvasion", "Execution"],
"techniques": ["T1059", "T1105"],
"alertRuleTemplateName": "ASR-Anomaly-Detection",
"customDetails": {
"RuleGUID": "{{rule_guid}}",
"ProcessPath": "{{process_path}}",
"RiskScore": "{{RiskScore}}"
},
"entityMappings": [
{ "entityType": "Account", "fieldMappings": [{ "identifier": "FullName", "columnName": "user_name" }] },
{ "entityType": "Host", "fieldMappings": [{ "identifier": "HostName", "columnName": "computer" }] },
{ "entityType": "File", "fieldMappings": [{ "identifier": "Path", "columnName": "process_path" }] }
]
}
β©οΈ Π‘ΡΠ΅Π½Π°ΡΠΈΠΈ ΠΎΡΠΊΠ°ΡΠ° (Rollback)
πΉ ΠΡΠΊΠ°Ρ ΡΠ΅ΡΠ΅Π· Set-MpPreference (ASR)
<#
.SYNOPSIS: ΠΡΠΊΠ°Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ ΠΈΠ»ΠΈ Π²ΡΠ΅Ρ ASR-ΠΏΡΠ°Π²ΠΈΠ» Π² ΡΠ΅ΠΆΠΈΠΌ 'Not Configured'
.REQUIRES: SYSTEM or local admin + SeSecurityPrivilege
#>
param(
[string]$RuleGuid = $null,
[switch]$Confirm
)
$AllASRRules = @(
'3b576869-a4ec-4529-8536-b80a7769e899', '5beb7efe-fd9a-4556-801d-275e5ffc04cc',
'd3e037e1-3eb8-44c8-a917-57927947596d', '01443614-cd74-433a-b99e-2ecdc07bfc25',
'd1e49aac-8f56-4280-b9ba-993a6d77406c', 'c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb',
'33ddedf1-c6e0-47cb-833e-de6133960387', '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2'
)
$RulesToReset = if ($RuleGuid) { @($RuleGuid) } else { $AllASRRules }
foreach ($Guid in $RulesToReset) {
if ($Confirm) {
$Response = Read-Host "Reset rule $Guid to 'Not Configured'? (y/N)"
if ($Response -ne 'y') { continue }
}
try {
Set-MpPreference -AttackSurfaceReductionRules_Ids $Guid `
-AttackSurfaceReductionRules_Actions 5 `
-ErrorAction Stop
Write-Host "[OK] Reset rule $Guid" -ForegroundColor Green
} catch {
Write-Error "Failed to reset rule $Guid`: $($_.Exception.Message)"
}
}
πΉ ΠΡΠΊΠ°Ρ ΡΠ΅ΡΠ΅Π· ΡΠ΅Π΅ΡΡΡ (Π°Π»ΡΡΠ΅ΡΠ½Π°ΡΠΈΠ²Π½ΡΠΉ ΠΌΠ΅ΡΠΎΠ΄)
<#
.SYNOPSIS: ΠΡΡΠΌΠΎΠ΅ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΠ΅ ΠΊΠ»ΡΡΠ°ΠΌΠΈ ΡΠ΅Π΅ΡΡΡΠ° ASR (ΡΡΠ΅Π±ΡΠ΅Ρ SYSTEM)
.PATH: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
#>
param(
[string]$RuleGuid,
[switch]$RemoveAll
)
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
if ($RemoveAll) {
if (Test-Path $RegPath) {
Get-ItemProperty -Path $RegPath -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty PSProperty |
Where-Object { $_ -match '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$' } |
ForEach-Object {
Remove-ItemProperty -Path $RegPath -Name $_ -Force -ErrorAction SilentlyContinue
Write-Host "[Removed] $_" -ForegroundColor Yellow
}
}
} elseif ($RuleGuid -and (Test-Path "$RegPath\$RuleGuid")) {
Remove-ItemProperty -Path $RegPath -Name $RuleGuid -Force -ErrorAction Stop
Write-Host "[Removed] $RuleGuid" -ForegroundColor Yellow
}
Restart-Service WinDefend -Force -ErrorAction SilentlyContinue
Write-Host "[Info] WinDefend service restarted" -ForegroundColor Cyan
π§ͺ Π’Π΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΈ Π²Π°Π»ΠΈΠ΄Π°ΡΠΈΡ
πΉ Π§Π΅ΠΊ-Π»ΠΈΡΡ ΠΏΡΠ΅Π΄-ΠΏΡΠΎΠ΄Π°ΠΊΡΠ½ ΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ
β
ΠΠΊΡΠΏΠΎΡΡ Π±Π°Π·ΠΎΠ²ΠΎΠΉ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠΈ: Export-AppLockerPolicy -Xml
β
Π Π°Π·Π²ΡΡΡΡΠ²Π°Π½ΠΈΠ΅ Π½Π° ΠΏΠΈΠ»ΠΎΡΠ½ΠΎΠΉ Π³ΡΡΠΏΠΏΠ΅ (50-100 ΡΡΡΡΠΎΠΉΡΡΠ²)
β
ΠΠ°ΠΏΡΡΠΊ ΡΡΠ°Π½Π΄Π°ΡΡΠ½ΡΡ
ΠΏΡΠ°Π²ΠΈΠ» Π² Audit Π½Π° 7-14 Π΄Π½Π΅ΠΉ
β
Π‘Π±ΠΎΡ ΡΠΎΠ±ΡΡΠΈΠΉ ΡΠ΅ΡΠ΅Π· ΡΠΊΡΠΈΠΏΡ, ΡΠΊΡΠΏΠΎΡΡ Π² Sentinel
β
ΠΠ½Π°Π»ΠΈΠ· KQL-Π·Π°ΠΏΡΠΎΡΠΎΠΌ: ΠΏΠΎΠΈΡΠΊ Π°Π½ΠΎΠΌΠ°Π»ΠΈΠΉ
β
ΠΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ Π»ΠΎΠΆΠ½ΡΡ
ΡΡΠ°Π±Π°ΡΡΠ²Π°Π½ΠΈΠΉ (Π»Π΅Π³ΠΈΡΠΈΠΌΠ½ΡΠ΅ ΠΏΡΠΎΡΠ΅ΡΡΡ)
β
ΠΠΎΠ±Π°Π²Π»Π΅Π½ΠΈΠ΅ ΠΈΡΠΊΠ»ΡΡΠ΅Π½ΠΈΠΉ ΡΠ΅ΡΠ΅Π· AttackSurfaceReductionOnlyExclusions
β
ΠΠΎΡΡΠ°ΠΏΠ½ΡΠΉ ΠΏΠ΅ΡΠ΅Π²ΠΎΠ΄ Π² Block (ΠΏΠΎ ΠΎΠ΄Π½ΠΎΠΌΡ ΠΏΡΠ°Π²ΠΈΠ»Ρ Π² Π½Π΅Π΄Π΅Π»Ρ)
β
ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° alert-ΠΏΡΠ°Π²ΠΈΠ» Π² Sentinel
β
ΠΠΎΠΊΡΠΌΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ Π²ΡΠ΅Ρ
ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ Ρ Ρ
ΡΡΠ΅ΠΌ ΠΈ Π²ΡΠ΅ΠΌΠ΅Π½Π½ΠΎΠΉ ΠΌΠ΅ΡΠΊΠΎΠΉ
β
*β οΈ ΠΠ°Π»ΠΈΠ΄Π°ΡΠΈΡ ΡΠΎΠ²ΠΌΠ΅ΡΡΠΈΠΌΠΎΡΡΠΈ AppLocker + Constrained Language Mode Π½Π° Win11 24H2*
β
β οΈ ΠΡΠΎΠ²Π΅ΡΠΊΠ° Cloud-delivered protection Π΄Π»Ρ prevalence-based ΠΏΡΠ°Π²ΠΈΠ»Π°
πΉ Π’Π΅ΡΡΠΎΠ²ΡΠ΅ ΡΡΠ΅Π½Π°ΡΠΈΠΈ Π΄Π»Ρ Π²Π°Π»ΠΈΠ΄Π°ΡΠΈΠΈ
π Π‘ΡΠ΅Π½Π°ΡΠΈΠΉ 1: ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΠΌΠ°ΠΊΡΠΎΡΠ° ΠΈΠ· Office
# ΠΠΆΠΈΠ΄Π°Π½ΠΈΠ΅: ΡΠΎΠ±ΡΡΠΈΠ΅ 1121, ΠΏΡΠ°Π²ΠΈΠ»ΠΎ 3b576869-a4ec-4529-8536-b80a7769e899
# ΠΠ΅ΠΉΡΡΠ²ΠΈΠ΅: ΡΠΎΠ·Π΄Π°ΡΡ ΡΠ΅ΡΡΠΎΠ²ΡΠΉ .docm Ρ ΠΌΠ°ΠΊΡΠΎΡΠΎΠΌ, ΠΎΡΠΊΡΡΡΡ Π² Word Π½Π° ΡΠ΅ΡΡΠΎΠ²ΠΎΠΉ ΠΌΠ°ΡΠΈΠ½Π΅
β‘ Π‘ΡΠ΅Π½Π°ΡΠΈΠΉ 2: ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ PowerShell ΠΈΠ· WScript
# ΠΠΆΠΈΠ΄Π°Π½ΠΈΠ΅: ΡΠΎΠ±ΡΡΠΈΠ΅ 1121, ΠΏΡΠ°Π²ΠΈΠ»ΠΎ 5beb7efe-fd9a-4556-801d-275e5ffc04cc
# ΠΠ΅ΠΉΡΡΠ²ΠΈΠ΅: ΡΠΎΠ·Π΄Π°ΡΡ .vbs Ρ ΠΊΠΎΠ΄ΠΎΠΌ: CreateObject("WScript.Shell").Run("powershell.exe")
π Π‘ΡΠ΅Π½Π°ΡΠΈΠΉ 3: ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π½ΠΎΠ²ΠΎΠ³ΠΎ ΠΏΡΠ°Π²ΠΈΠ»Π° 2026 (Safe Mode)
# ΠΠΆΠΈΠ΄Π°Π½ΠΈΠ΅: Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠ° ΠΊΠΎΠΌΠ°Π½Π΄Ρ: bcdedit /set {default} safeboot minimal
# ΠΡΠΈΠΌΠ΅ΡΠ°Π½ΠΈΠ΅: ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π½Π΅ Π±Π»ΠΎΠΊΠΈΡΡΠ΅Ρ ΡΡΡΠ½ΠΎΠΉ Π²Ρ ΠΎΠ΄ ΡΠ΅ΡΠ΅Π· Windows Recovery Environment
# ΠΠ΅ΠΉΡΡΠ²ΠΈΠ΅: Π·Π°ΠΏΡΡΡΠΈΡΡ ΠΊΠΎΠΌΠ°Π½Π΄Ρ ΠΈΠ· PowerShell Ρ ΠΏΡΠ°Π²Π°ΠΌΠΈ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡΠ°
π ΠΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³ ΠΈ Π΄Π°ΡΠ±ΠΎΡΠ΄Ρ
πΉ KQL Π΄Π»Ρ Π΄Π°ΡΠ±ΠΎΡΠ΄Π° Π² Sentinel
// π Π‘Π²ΠΎΠ΄ΠΊΠ° ΠΏΠΎ ASR-ΡΠΎΠ±ΡΡΠΈΡΠΌ Π·Π° ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΠ΅ 24 ΡΠ°ΡΠ°
DefenderASR_CL
| where time > ago(24h)
| summarize
TotalEvents = count(),
Blocks = countif(action == 'block'),
Audits = countif(action == 'audit'),
UniqueRules = dcount(rule_guid),
UniqueComputers = dcount(computer),
UniqueUsers = dcount(user_name)
| render columnchart
---------------------------------------------------
// π Π’ΠΎΠΏ-10 ΠΏΡΠ°Π²ΠΈΠ» ΠΏΠΎ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²Ρ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΎΠΊ
DefenderASR_CL
| where action == 'block' and time > ago(7d)
| summarize BlockCount = count() by rule_name, rule_guid
| top 10 by BlockCount desc
| render barchart
--------------------------------------------------------
// π ΠΠ΅ΠΎ-ΡΠ°ΡΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΠ΅ (Π΅ΡΠ»ΠΈ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΡ ΠΈΠΌΠ΅ΡΡ ΡΠ΅Π³ΠΈ Π»ΠΎΠΊΠ°ΡΠΈΠΈ)
DefenderASR_CL
| where time > ago(24h)
| join kind=leftouter (
Heartbeat
| summarize Location = any(OSType) by Computer
) on $left.computer == $right.Computer
| summarize Blocks = countif(action == 'block') by Location
| render piechart
π Π‘ΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠ΅ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡΠΌ (Compliance Mapping)
π NIST 800-53 AC-3 (Access Enforcement) β ΠΠ΅Ρ Π°Π½ΠΈΠ·ΠΌ: AppLocker FilePathRule β Π Π΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ: block-user-exec
π‘οΈ NIST 800-53 SI-3 (Malicious Code Protection) β ΠΠ΅Ρ Π°Π½ΠΈΠ·ΠΌ: ASR: Block obfuscated scripts β Π Π΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ: GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc
βοΈ CIS Benchmark 5.1 (Configure Application Control) β ΠΠ΅Ρ Π°Π½ΠΈΠ·ΠΌ: AppLocker EnforcementMode=Enabled β Π Π΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ: Set-AppLockerPolicy -EnforcementMode Enabled
βοΈ PCI DSS 5.2 (Anti-malware on all systems) β ΠΠ΅Ρ Π°Π½ΠΈΠ·ΠΌ: Defender ASR + Cloud Protection β Π Π΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ: Set-MpPreference -CloudBlockLevel High
π ISO 27001 A.12.2.1 (Protection against malware) β ΠΠ΅Ρ Π°Π½ΠΈΠ·ΠΌ: ASR: Block Office macros β Π Π΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ: GUID: 3b576869-a4ec-4529-8536-b80a7769e899
π§ Troubleshooting ΠΈ ΡΠ°ΡΡΡΠ΅ ΠΎΡΠΈΠ±ΠΊΠΈ
πΉ ΠΡΠΎΠ±Π»Π΅ΠΌΠ°: Π‘ΠΎΠ±ΡΡΠΈΡ 1121/1122 Π½Π΅ ΠΏΠΎΡΠ²Π»ΡΡΡΡΡ Π² Π»ΠΎΠ³Π΅
# ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π²ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ
Get-MpPreference | Select-Object EnableControlledFolderAccess, AttackSurfaceReductionOnlyExclusions
# ΠΡΠΈΠ½ΡΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΠ΅ Π²ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ
Set-MpPreference -SubmitSamplesConsent SendAllSamples -ErrorAction SilentlyContinue
# ΠΡΠΎΠ²Π΅ΡΠΊΠ° ΡΠ°Π·ΠΌΠ΅ΡΠ° ΠΈ ΠΏΠ΅ΡΠ΅ΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π»ΠΎΠ³Π°
wevtutil gl "Microsoft-Windows-Windows Defender/Operational" | findstr "maxSize"
# ΠΡΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎΡΡΠΈ ΡΠ²Π΅Π»ΠΈΡΠΈΡΡ:
wevtutil sl "Microsoft-Windows-Windows Defender/Operational" /ms:33554432
πΉ ΠΡΠΎΠ±Π»Π΅ΠΌΠ°: AppLocker Π±Π»ΠΎΠΊΠΈΡΡΠ΅Ρ Π»Π΅Π³ΠΈΡΠΈΠΌΠ½ΠΎΠ΅ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
# 1. ΠΠ°ΠΉΡΠΈ ΡΠΎΠ±ΡΡΠΈΠ΅ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ
$Event = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-AppLocker/EXE and DLL'; ID=8004} -MaxEvents 1
# 2. ΠΠ·Π²Π»Π΅ΡΡ ΠΏΡΡΡ ΠΈ Ρ
ΡΡ
$Xml = [xml]$Event.ToXml()
$Path = $Xml.Event.EventData.Data[1].'#text'
$Hash = $Xml.Event.EventData.Data[3].'#text'
# 3. ΠΠΎΠ±Π°Π²ΠΈΡΡ ΠΈΡΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΏΠΎ Ρ
ΡΡΡ (ΠΏΡΠ΅Π΄ΠΏΠΎΡΡΠΈΡΠ΅Π»ΡΠ½ΠΎ) ΠΈΠ»ΠΈ ΠΏΡΡΠΈ
# Π§Π΅ΡΠ΅Π· XML-ΠΏΠΎΠ»ΠΈΡΠΈΠΊΡ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ FileHashRule Ρ Π½ΡΠΆΠ½ΡΠΌ Hash
# 4. ΠΠ±Π½ΠΎΠ²ΠΈΡΡ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΡ
Set-AppLockerPolicy -XmlPolicy $UpdatedPolicy -Merge
gpupdate /force /target:computer
πΉ ΠΡΠΎΠ±Π»Π΅ΠΌΠ°: Π‘ΠΊΡΠΈΠΏΡ Π½Π΅ ΡΠ°Π±ΠΎΡΠ°Π΅Ρ ΠΈΠ·-Π·Π° ΠΏΡΠ°Π²
# ΠΠ°ΠΏΡΡΠΊ ΠΎΡ ΠΈΠΌΠ΅Π½ΠΈ SYSTEM ΡΠ΅ΡΠ΅Π· PsExec
psexec.exe -s -i powershell.exe -File C:\Scripts\deploy_asr.ps1
# ΠΠ»ΠΈ ΡΠ΅ΡΠ΅Π· Task Scheduler (Π·Π°Π΄Π°ΡΠ° Ρ highest privileges)
$action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\deploy_asr.ps1'
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "Deploy-ASR" -Action $action -Principal $principal -Force
π Π€ΠΈΠ½Π°Π»ΡΠ½ΡΠΉ ΡΠ΅ΠΊ-Π»ΠΈΡΡ ΠΏΠ΅ΡΠ΅Π΄ Π·Π°ΠΏΡΡΠΊΠΎΠΌ Π² production:
β ΠΡΠ΅ ΡΠΊΡΠΈΠΏΡΡ ΠΏΡΠΎΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π½Ρ Π½Π° ΠΏΠΈΠ»ΠΎΡΠ½ΠΎΠΉ Π³ΡΡΠΏΠΏΠ΅
β ΠΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ Π½Π°ΡΡΡΠΎΠ΅Π½ΠΎ ΠΈ ΠΏΡΠΎΠ²Π΅ΡΡΠ΅ΡΡΡ Π΅ΠΆΠ΅Π΄Π½Π΅Π²Π½ΠΎ
β ΠΡΠΊΠ»ΡΡΠ΅Π½ΠΈΡ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Ρ ΡΠΎΠ»ΡΠΊΠΎ ΠΏΠΎΡΠ»Π΅ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
β ΠΡΠΊΠ°Ρ-ΡΡΠ΅Π½Π°ΡΠΈΠΈ Π·Π°Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½Ρ ΠΈ ΠΏΡΠΎΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π½Ρ
β SIEM-ΠΈΠ½ΡΠ΅Π³ΡΠ°ΡΠΈΡ Π²Π°Π»ΠΈΠ΄ΠΈΡΠΎΠ²Π°Π½Π° (ΡΠΎΠ±ΡΡΠΈΡ ΠΏΠΎΡΡΡΠΏΠ°ΡΡ, alert ΡΡΠ°Π±Π°ΡΡΠ²Π°ΡΡ)
β ΠΠΎΠΌΠ°Π½Π΄Π° Π·Π½Π°Π΅Ρ, ΠΊΠ°ΠΊ ΡΠ΅Π°Π³ΠΈΡΠΎΠ²Π°ΡΡ Π½Π° ΡΡΠ°Π±Π°ΡΡΠ²Π°Π½ΠΈΡ (playbook)
β β οΈ ΠΠΎΠ΄ΡΠ²Π΅ΡΠΆΠ΄Π΅Π½Π° ΡΠΎΠ²ΠΌΠ΅ΡΡΠΈΠΌΠΎΡΡΡ Ρ Win11 24H2
β β οΈ Cloud-delivered protection Π²ΠΊΠ»ΡΡΠ΅Π½Π° Π΄Π»Ρ prevalence-based ΠΏΡΠ°Π²ΠΈΠ»
π‘ ΠΡΠΎ-ΡΠΎΠ²Π΅Ρ: ΠΠ²ΡΠΎΠΌΠ°ΡΠΈΠ·ΠΈΡΡΠΉΡΠ΅ ΠΏΡΠΎΠ²Π΅ΡΠΊΡ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΡ: ΡΠΎΠ·Π΄Π°ΠΉΡΠ΅ Π΅ΠΆΠ΅Π½Π΅Π΄Π΅Π»ΡΠ½ΡΡ Π·Π°Π΄Π°ΡΡ, ΠΊΠΎΡΠΎΡΠ°Ρ ΡΡΠ°Π²Π½ΠΈΠ²Π°Π΅Ρ ΡΠ΅ΠΊΡΡΠΈΠ΅ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ ASR/AppLocker Ρ ΡΡΠ°Π»ΠΎΠ½Π½ΡΠΌ ΠΊΠΎΠ½ΡΠΈΠ³ΠΎΠΌ ΠΈ ΠΎΡΠΏΡΠ°Π²Π»ΡΠ΅Ρ ΠΎΡΡΡΡ Π² Teams/Slack ΠΏΡΠΈ ΠΎΡΠΊΠ»ΠΎΠ½Π΅Π½ΠΈΡΡ . ΠΡΠ΅ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡ Π»ΠΎΠ³ΠΈΡΡΠΉΡΠ΅ Ρ Ρ ΡΡΠ΅ΠΌ ΠΈ Π²ΡΠ΅ΠΌΠ΅Π½Π½ΠΎΠΉ ΠΌΠ΅ΡΠΊΠΎΠΉ Π΄Π»Ρ Π°ΡΠ΄ΠΈΡΠ°.