HotCakeX · HotCakeX · Sep 24, 2023 · Sep 24, 2023 · Sep 24, 2023 · Sep 24, 2023
@@ -372,7 +372,45 @@ function Confirm-SystemCompliance {
 
         # Process the registry keys for this category based on the selected method and category name, then save the output Custom Object in the Array
         $NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
-
+
+
+        # Individual ASR rules verification        
+        $DefenderEffectiveStates = Get-MpPreference
+        [string[]]$Ids = $DefenderEffectiveStates.AttackSurfaceReductionRules_Ids
+        [string[]]$Actions = $DefenderEffectiveStates.AttackSurfaceReductionRules_Actions
+
+        # Hashtable to store the descriptions for each ID
+        [hashtable]$Descriptions = @{
+            '56a863a9-875e-4185-98a7-b882c64b5ce5' = 'Block abuse of exploited vulnerable signed drivers'
+            '7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c' = 'Block Adobe Reader from creating child processes'
+            'd4f940ab-401b-4efc-aadc-ad5f3c50688a' = 'Block all Office applications from creating child processes'
+            '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2' = 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)'
+            'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550' = 'Block executable content from email client and webmail'
+            '01443614-cd74-433a-b99e-2ecdc07bfc25' = 'Block executable files from running unless they meet a prevalence; age or trusted list criterion'
+            '5beb7efe-fd9a-4556-801d-275e5ffc04cc' = 'Block execution of potentially obfuscated scripts'
+            'd3e037e1-3eb8-44c8-a917-57927947596d' = 'Block JavaScript or VBScript from launching downloaded executable content'
+            '3b576869-a4ec-4529-8536-b80a7769e899' = 'Block Office applications from creating executable content'
+            '75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84' = 'Block Office applications from injecting code into other processes'
+            '26190899-1602-49e8-8b27-eb1d0a1ce869' = 'Block Office communication application from creating child processes'
+            'e6db77e5-3df2-4cf1-b95a-636979351e5b' = 'Block persistence through WMI event subscription'
+            'd1e49aac-8f56-4280-b9ba-993a6d77406c' = 'Block process creations originating from PSExec and WMI commands'
+            'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4' = 'Block untrusted and unsigned processes that run from USB'
+            '92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b' = 'Block Win32 API calls from Office macros'
+            'c1db55ab-c21a-4637-bb3f-a12568109d35' = 'Use advanced protection against ransomware'
+        }
+
+        # Loop through the ids and actions arrays and create a custom object for each pair
+        for ($i = 0; $i -lt $Ids.Length; $i++) {
+            $NestedObjectArray += [PSCustomObject]@{
+                FriendlyName = $Descriptions[$Ids[$i]]
+                Compliant    = [bool]($Actions[$i] -eq '1')
+                Value        = $Actions[$i]   
+                Name         = $Ids[$i]         
+                Category     = $CatName
+                Method       = 'Cmdlet'  
+            }
+        }
+
         # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
         Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
         #EndRegion Attack-Surface-Reduction-Rules-Category

@@ -12,7 +12,7 @@
     # RootModule = ''
 
     # Version number of this module.
-    ModuleVersion        = '0.1.4'
+    ModuleVersion        = '0.1.5'
 
     # Supported PSEditions
     CompatiblePSEditions = @('Core')

@@ -1,6 +1,6 @@
 <#PSScriptInfo
 
-.VERSION 2023.9.12
+.VERSION 2023.9.24
 
 .GUID d435a293-c9ee-4217-8dc1-4ad2318a5770
 
@@ -92,9 +92,12 @@ Set-ExecutionPolicy Bypass -Scope Process
 
 # Defining global script variables
 # Current script's version, the same as the version at the top in the script info section
-[datetime]$CurrentVersion = '2023.9.12'
+[datetime]$CurrentVersion = '2023.9.24'
 # Minimum OS build number required for the hardening measures used in this script
 [decimal]$Requiredbuild = '22621.2134'
+# Fetching Temp Directory
+[string]$global:UserTempDirectoryPath = [System.IO.Path]::GetTempPath()
+
 
 # Determining if PowerShell is core to use modern styling
 [bool]$global:IsCore = $false
@@ -385,14 +388,14 @@ try {
     #endregion RequirementsCheck
 
     # create our working directory
-    New-Item -ItemType Directory -Path "$env:TEMP\HardeningXStuff\" -Force | Out-Null
+    New-Item -ItemType Directory -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
     # working directory assignment
-    [string]$WorkingDir = "$env:TEMP\HardeningXStuff\"
+    [string]$WorkingDir = "$global:UserTempDirectoryPath\HardeningXStuff\"
     # change location to the new directory
     Set-Location $WorkingDir
 
     # Clean up script block
-    [scriptblock]$CleanUp = { Set-Location $HOME; Remove-Item -Recurse "$env:TEMP\HardeningXStuff\" -Force; exit }
+    [scriptblock]$CleanUp = { Set-Location $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force; exit }
 
     if (-NOT (Test-IsAdmin)) {
         if ($IsCore) { &$WriteNeonGreen 'Skipping commands that require Administrator privileges' } else { Write-Host 'Skipping commands that require Administrator privileges' -ForegroundColor Magenta }
@@ -1489,11 +1492,11 @@ try {
                     try {
                         Write-Host 'Downloading the Custom views for Event Viewer, Please wait...' -ForegroundColor Yellow
                         try {
-                            Invoke-WebRequest -Uri 'https://github.com/HotCakeX/Harden-Windows-Security/raw/main/Payload/EventViewerCustomViews.zip' -OutFile "$env:TEMP\EventViewerCustomViews.zip" -ErrorAction Stop
+                            Invoke-WebRequest -Uri 'https://github.com/HotCakeX/Harden-Windows-Security/raw/main/Payload/EventViewerCustomViews.zip' -OutFile "$global:UserTempDirectoryPath\EventViewerCustomViews.zip" -ErrorAction Stop
                         }
                         catch {
                             Write-Host 'Using Azure DevOps...' -ForegroundColor Yellow
-                            Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/EventViewerCustomViews.zip' -OutFile "$env:TEMP\EventViewerCustomViews.zip" -ErrorAction Stop
+                            Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/EventViewerCustomViews.zip' -OutFile "$global:UserTempDirectoryPath\EventViewerCustomViews.zip" -ErrorAction Stop
                         }
 
                         # Due to change in event viewer custom log files, making sure no old file names exist
@@ -1503,8 +1506,8 @@ try {
                         # Creating new sub-folder to store the custom views
                         New-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -ItemType Directory -Force | Out-Null
 
-                        Expand-Archive -Path "$env:TEMP\EventViewerCustomViews.zip" -DestinationPath 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Force
-                        Remove-Item -Path "$env:TEMP\EventViewerCustomViews.zip" -Force
+                        Expand-Archive -Path "$global:UserTempDirectoryPath\EventViewerCustomViews.zip" -DestinationPath 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Force
+                        Remove-Item -Path "$global:UserTempDirectoryPath\EventViewerCustomViews.zip" -Force
                         Write-Host "`nSuccessfully added Custom Views for Event Viewer" -ForegroundColor Green               
                     }
                     catch {
@@ -1574,7 +1577,7 @@ try {
 
                 Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host " Machine Store`n" -ForegroundColor Blue
                 .\sigcheck64.exe -tv -accepteula -nobanner
-                Remove-Item .\sigcheck64.exe -Force
+                Remove-Item -Path .\sigcheck64.exe -Force
             } 'No' { break }
             'Exit' { &$CleanUp }
         }
@@ -1697,5 +1700,5 @@ finally {
             }
         }
     }
-    Set-Location $HOME; Remove-Item -Recurse "$env:TEMP\HardeningXStuff\" -Force -ErrorAction SilentlyContinue    
+    Set-Location $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue    
 }
@@ -36,22 +36,6 @@ Origin,Category,Key,Name,FriendlyName,Type,Value
 "Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,Allow Diagnostic Data (Required for Smart App Control),DWORD,3
 "Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection,DisableTelemetryOptInSettingsUx,Configure diagnostic data opt-in settings user interface,DWORD,1
 "Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR,ExploitGuard_ASR_Rules,Configure Attack Surface Reduction rules,DWORD,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,56a863a9-875e-4185-98a7-b882c64b5ce5,Block abuse of exploited vulnerable signed drivers,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,Block Adobe Reader from creating child processes,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,d4f940ab-401b-4efc-aadc-ad5f3c50688a,Block all Office applications from creating child processes,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,Block credential stealing from the Windows local security authority subsystem (lsass.exe),SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,Block executable content from email client and webmail,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,01443614-cd74-433a-b99e-2ecdc07bfc25,Block executable files from running unless they meet a prevalence; age or trusted list criterion,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,5beb7efe-fd9a-4556-801d-275e5ffc04cc,Block execution of potentially obfuscated scripts,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,d3e037e1-3eb8-44c8-a917-57927947596d,Block JavaScript or VBScript from launching downloaded executable content,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,3b576869-a4ec-4529-8536-b80a7769e899,Block Office applications from creating executable content,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,Block Office applications from injecting code into other processes,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,26190899-1602-49e8-8b27-eb1d0a1ce869,Block Office communication application from creating child processes,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,e6db77e5-3df2-4cf1-b95a-636979351e5b,Block persistence through WMI event subscription,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,d1e49aac-8f56-4280-b9ba-993a6d77406c,Block process creations originating from PSExec and WMI commands,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,Block untrusted and unsigned processes that run from USB,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,Block Win32 API calls from Office macros,SZ,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules,c1db55ab-c21a-4637-bb3f-a12568109d35,Use advanced protection against ransomware,SZ,1
 "Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,DisallowStandardUserPINReset,Disallow Standard User PIN Reset,DWORD,1
 "Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseAdvancedStartup,Require additional authentication at startup,DWORD,1
 "Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,Don't allow Bitlocker without TPM,DWORD,0

@@ -2,6 +2,9 @@ Function Unprotect-WindowsSecurity {
     # Stop the execution when there is an error
     $global:ErrorActionPreference = 'Stop'
 
+    # Fetching Temp Directory
+    [string]$global:UserTempDirectoryPath = [System.IO.Path]::GetTempPath()
+
     # Makes sure this cmdlet is invoked with Admin privileges
     if (![bool]([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
         Write-Error -Message 'Unprotect-WindowsSecurity cmdlet requires Administrator privileges.'
@@ -41,16 +44,16 @@ Function Unprotect-WindowsSecurity {
         }
 
         # create our working directory
-        New-Item -ItemType Directory -Path "$env:TEMP\HardeningXStuff\" -Force | Out-Null
+        New-Item -ItemType Directory -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
 
         # working directory assignment
-        [string]$WorkingDir = "$env:TEMP\HardeningXStuff\"
+        [string]$WorkingDir = "$global:UserTempDirectoryPath\HardeningXStuff\"
 
         # change location to the new directory
         Set-Location -Path $WorkingDir
 
         # Clean up script block
-        [scriptblock]$CleanUp = { Set-Location $HOME; Remove-Item -Recurse "$env:TEMP\HardeningXStuff\" -Force; exit }
+        [scriptblock]$CleanUp = { Set-Location $HOME; Remove-Item -Recurse "$global:UserTempDirectoryPath\HardeningXStuff\" -Force; exit }
 
         Write-Progress -Activity 'Downloading the required files' -Status 'Processing' -PercentComplete 30
 
@@ -202,7 +205,7 @@ Function Unprotect-WindowsSecurity {
             }
         }
 
-        Set-Location $HOME; Remove-Item -Recurse "$env:TEMP\HardeningXStuff\" -Force -ErrorAction SilentlyContinue    
+        Set-Location $HOME; Remove-Item -Recurse "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue    
 
     }
 

@@ -1 +1 @@
-0.1.4
+0.1.5