├── Enable-ExploitGuard-AttackSurfaceReduction.ps1 ├── README.md ├── Remove-all-ProcessMitigations.ps1 ├── Windows10-v1709_ExploitGuard-DefaultSettings.xml ├── Windows10-v1709_ExploitGuard-Security-Baseline.xml ├── Windows10-v1803_ExploitGuard-DefaultSettings.xml ├── Windows10-v1803_ExploitGuard-Security-Baseline.xml ├── Windows10-v1809_ExploitGuard-DefaultSettings.xml ├── Windows10-v1809_ExploitGuard-Security-Baseline.xml ├── Windows10-v1903_ExploitGuard-DefaultSettings.xml ├── Windows10-v1903_ExploitGuard-Security-Baseline.xml ├── Windows10-v1909_ExploitGuard-DefaultSettings.xml ├── Windows10-v1909_ExploitGuard-DefaultSettings_Without-HyperV.xml ├── Windows10-v1909_ExploitGuard-Security-Baseline.xml ├── Windows10-v2004_ExploitGuard-Security-Baseline.xml ├── Windows10-v2009_ExploitGuard-DefaultSettings.xml ├── Windows10-v2009_ExploitGuard-DefaultSettings_Without-HyperV.xml ├── Windows10-v2009_ExploitGuard-Security-Baseline.xml ├── Windows10-v2104_ExploitGuard-Security-Baseline.xml └── Windows10_ExploitGuard-Config.ps1 /Enable-ExploitGuard-AttackSurfaceReduction.ps1: -------------------------------------------------------------------------------- 1 | # Gunnar Haslinger, 05.05.2018 2 | # Windows Defender Exploit-Guard Attack-Surface-Reduction Configuration 3 | 4 | # Doc Description of Rules: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard 5 | # Doc HowTo enable: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction 6 | # Doc Exclusions: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction 7 | 8 | 9 | # Modes: 0 = Disabled, 1 = Enabled, 2 = AuditMode 10 | $ASRMode = @("Disabled", "Enabled", "AuditMode"); 11 | 12 | # The new configuration to set 13 | $ASRconfig = @( 14 | [PSCustomObject] @{ GUID = "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550"; 15 | Description = "Block executable content from email client and webmail"; 16 | Mode = 1; } 17 | 18 | [PSCustomObject] @{ GUID = "D4F940AB-401B-4EFC-AADC-AD5F3C50688A"; 19 | Description = "Block Office applications from creating child processes"; 20 | Mode = 1; } 21 | 22 | [PSCustomObject] @{ GUID = "3B576869-A4EC-4529-8536-B80A7769E899"; 23 | Description = "Block Office applications from creating executable content"; 24 | Mode = 1; } 25 | 26 | [PSCustomObject] @{ GUID = "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84"; 27 | Description = "Block Office applications from injecting code into other processes"; 28 | Mode = 1; } 29 | 30 | [PSCustomObject] @{ GUID = "D3E037E1-3EB8-44C8-A917-57927947596D"; 31 | Description = "Block JavaScript or VBScript from launching downloaded executable content"; 32 | Mode = 1; } 33 | 34 | [PSCustomObject] @{ GUID = "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC"; 35 | Description = "Block execution of potentially obfuscated scripts"; 36 | Mode = 1; } 37 | 38 | [PSCustomObject] @{ GUID = "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B"; 39 | Description = "Block Win32 API calls from Office macro"; 40 | Mode = 1; } 41 | 42 | [PSCustomObject] @{ GUID = "01443614-cd74-433a-b99e-2ecdc07bfc25"; 43 | Description = "Block executable files from running unless they meet a prevalence, age, or trusted list criteria"; 44 | Mode = 0; } 45 | 46 | [PSCustomObject] @{ GUID = "c1db55ab-c21a-4637-bb3f-a12568109d35"; 47 | Description = "Use advanced protection against ransomware"; 48 | Mode = 0; } 49 | 50 | [PSCustomObject] @{ GUID = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"; 51 | Description = "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"; 52 | Mode = 0; } 53 | 54 | [PSCustomObject] @{ GUID = "d1e49aac-8f56-4280-b9ba-993a6d77406c"; 55 | Description = "Block process creations originating from PSExec and WMI commands"; 56 | Mode = 2; } 57 | 58 | [PSCustomObject] @{ GUID = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"; 59 | Description = "Block untrusted and unsigned processes that run from USB"; 60 | Mode = 2; } 61 | ) 62 | 63 | $ASRconfig | foreach { $_.Mode = $ASRMode[$_.Mode] } 64 | 65 | 66 | Write-Host "Checking current System Configuration for configured Attack surface reduction rules (and comparing to new desired Mode):" 67 | $ASRstate = new-object system.collections.arraylist 68 | $myConfig = Get-MpPreference; 69 | for ($i=0; $i -lt $myConfig.AttackSurfaceReductionRules_Ids.count; $i++) { 70 | $new = $ASRstate.Add([PSCustomObject] @{ 71 | GUID = $myConfig.AttackSurfaceReductionRules_Ids[$i]; 72 | Description = ($ASRconfig | Where {$_.GUID -like $myConfig.AttackSurfaceReductionRules_Ids[$i]}).Description; 73 | CurrentMode = $ASRMode[$myConfig.AttackSurfaceReductionRules_Actions[$i]]; 74 | DesiredMode = ($ASRconfig | Where {$_.GUID -like $myConfig.AttackSurfaceReductionRules_Ids[$i]}).Mode; }) 75 | } 76 | $ASRstate | Format-Table 77 | 78 | Write-Host "Enabling Windows Defender Exploit Guard Attack surface reduction rules" 79 | $ASRConfig | Format-Table 80 | 81 | $ASRconfig | foreach { Add-MpPreference -AttackSurfaceReductionRules_Ids $_.GUID -AttackSurfaceReductionRules_Actions $_.Mode } 82 | 83 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Windows Defender Exploit-Guard Configuration 2 | 3 | ## This Script provides: 4 | * Configure Windows Defender Exploit-Guard by using PowerShell 5 | * Reset all ProcessMitigations to get a clean (unconfigured) state 6 | * Import clean Default-Configuration shipped with the OS 7 | * Import clean recommended Baseline Configuration 8 | * Configure Attack Surface Reduction and check actual Configuration of ASR 9 | 10 | ## What's the Problem? 11 | Windows 10 v1709 (RS3) includes Windows Defender ExploitGuard (Windows Defender EG), the successor of EMET. There are two powershell commandlets `Get-ProcessMitigation` and `Set-ProcessMitigation` for Configuring the Exploit-Guard Configuration by using scripts, but currently in Windows 10 v1709 (RS3) there are following bugs and a lack of functionality: 12 | 13 | * `Get-ProcessMitigation` commandlet does **not** list these executables configured by full-path, only lists those which are defined by plain executable-names without path 14 | * Set-ProcessMitigation commandlet has no functionality to delete a configured process-mitigation or to delete all configured per-process-mitigations like the EMET-Commandline-Tool `EMET_Conf --delete ` or `EMET_Conf --delete_apps` or `EMET_Conf --delete_all` provided 15 | * Additionaly in the current (tested 26.01.2018) InsiderBuild of Win10 RS4 (v1803) there is a default process-mitigation for `CameraBarcodeScannerPreview.exe` with Registry-Permissions only for TrustedInstaller (SYSTEM or Administrator have no rights to modify these, this leads to Exceptions / Errors) 16 | 17 | ## The Solution: 18 | PowerShell-Script `Remove-all-ProcessMitigations.ps1` 19 | * Removes all currently configured ProcessMitigations 20 | * Can handle such ProcessMitigations that are configured by plain Executable-Names like `notepad.exe` as well as full-path Configurations like `C:\Windows\system32\notepad.exe` 21 | * Can handle Configurations which are unmodifyable by Administrators because ACLs are set to TrustedInstaller by Taking Ownership and resetting the ACLs to defaults (Inherited ACLs) 22 | 23 | Demonstration of the Output: 24 | ```powershell 25 | PS C:\Temp> .\Remove-all-ProcessMitigations.ps1 26 | ``` 27 | ``` 28 | Removing MitigationOptions for: AcroRd32.exe 29 | Removing MitigationAuditOptions for: AcroRd32.exe 30 | Removing MitigationOptions for: AcroRd32Info.exe 31 | Removing MitigationAuditOptions for: AcroRd32Info.exe 32 | Removing MitigationOptions for: iexplore.exe 33 | Removing MitigationAuditOptions for: iexplore.exe 34 | Removing FullPathEntry: notepad.exe - C:\Windows\SysWOW64\notepad.exe 35 | Removing FullPathEntry: notepad.exe - C:\Windows\notepad.exe 36 | Removing FullPathEntry: notepad.exe - C:\Windows\System32\notepad.exe 37 | Removing empty Entry: notepad.exe 38 | Removing MitigationOptions for: PresentationHost.exe 39 | Removing MitigationAuditOptions for: PresentationHost.exe 40 | Removing empty Entry: PresentationHost.exe 41 | ... 42 | ``` 43 | 44 | PowerShell-Script `Windows10_ExploitGuard-Config.ps1` 45 | * uses `Remove-all-ProcessMitigations.ps1` to remove the Configuration 46 | * Sets the System-Configuration of Exploit-Guard to default 47 | * Imports the Exploit-Guard Default-Settings of Windows 10 v1703 which are provided by `Windows10-v1709_ExploitGuard-DefaultSettings.xml` 48 | * Imports the recommended Baseline-Settings for Windows 10 v1703 which are provided by `Windows10-v1709_ExploitGuard-Security-Baseline.xml` 49 | 50 | ## Source of the XML-Files 51 | * `Windows10-v1709_ExploitGuard-DefaultSettings.xml` is taken from a fresh Windows 10 v1709 Machine 52 | * `Windows10-v1803_ExploitGuard-DefaultSettings.xml` is taken from a fresh Windows 10 v1803 Machine 53 | * `Windows10-v1809_ExploitGuard-DefaultSettings.xml` is taken from a fresh Windows 10 v1809 Machine 54 | * `Windows10-v1903_ExploitGuard-DefaultSettings.xml` is taken from a fresh Windows 10 v1903 Machine 55 | * `Windows10-v1909_ExploitGuard-DefaultSettings.xml` is taken from a fresh Windows 10 v1909 Machine (but no Changes to v1903) 56 | * `Windows10-v1709_ExploitGuard-Security-Baseline.xml` is taken from the [official Microsoft v1709 Baseline](https://blogs.technet.microsoft.com/secguide/2017/10/18/security-baseline-for-windows-10-fall-creators-update-v1709-final/) 57 | * `Windows10-v1803_ExploitGuard-Security-Baseline.xml` is taken from the [official Microsoft v1803 Baseline](https://blogs.technet.microsoft.com/secguide/2018/04/30/security-baseline-for-windows-10-april-2018-update-v1803-final/) 58 | * `Windows10-v1809_ExploitGuard-Security-Baseline.xml` is taken from the [official Microsoft v1809 Baseline](https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809-and-windows-server-2019/) 59 | * `Windows10-v1903_ExploitGuard-Security-Baseline.xml` is taken from the [official Microsoft v1903 Baseline](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Windows-10-v1903-and-Windows-Server/ba-p/701084) 60 | * `Windows10-v1909_ExploitGuard-Security-Baseline.xml` is taken from the [official Microsoft v1909 Baseline](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server/ba-p/1023093) 61 | * `Windows10-v2004_ExploitGuard-Security-Baseline.xml` is taken from the [official Microsoft v2004 Baseline](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631) 62 | * `Windows10-v2009_ExploitGuard-Security-Baseline.xml` is taken from the [official Microsoft v20H2 Baseline](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393) 63 | * `Windows10-v2104_ExploitGuard-Security-Baseline.xml` is taken from the [official Microsoft v21H1 Baseline](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353) 64 | * Security Baselines and Exploit-Guard Default-Settings of Windows 10 v1909, v2004, v20H2 seem to be identically (no difference) 65 | 66 | ## Further Information 67 | * [See my Blog-Post (in German Language)](https://hitco.at/blog/windows-exploit-guard-konfiguration-reset/) 68 | 69 | ## Links 70 | * [Documentation of Exploit-Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard) 71 | * [EMET - Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/en-us/security/jj653751) 72 | 73 | # WD - Exploit Guard - Attack Surface Reduction Rules 74 | * `Enable-ExploitGuard-AttackSurfaceReduction.ps1` - Script for Configuring ASR 75 | * Further Information on this [See my Blog-Post (in German Language)](https://hitco.at/blog/windows-defender-exploit-guard-attack-surface-reduction-rules/) 76 | * Demo-Output: 77 | ``` 78 | Checking current System Configuration for configured Attack surface reduction rules (and comparing to new desired Mode): 79 | 80 | GUID Description CurrentMode DesiredMode 81 | ---- ----------- ----------- ----------- 82 | 01443614-cd74-433a-b99e-2ecdc07bfc25 Block executable files from running unless they meet a prevalence, age, or trusted list criteria Disabled Disabled 83 | 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from creating executable content Enabled Enabled 84 | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block execution of potentially obfuscated scripts Enabled Enabled 85 | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office applications from injecting code into other processes Enabled Enabled 86 | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from Office macro Enabled Enabled 87 | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe) Disabled Disabled 88 | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB AuditMode AuditMode 89 | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email client and webmail Enabled Enabled 90 | c1db55ab-c21a-4637-bb3f-a12568109d35 Use advanced protection against ransomware Disabled Disabled 91 | d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands AuditMode AuditMode 92 | D3E037E1-3EB8-44C8-A917-57927947596D Block JavaScript or VBScript from launching downloaded executable content Enabled Enabled 93 | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating child processes Enabled Enabled 94 | 95 | 96 | Enabling Windows Defender Exploit Guard Attack surface reduction rules 97 | 98 | GUID Description Mode 99 | ---- ----------- ---- 100 | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email client and webmail Enabled 101 | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating child processes Enabled 102 | 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from creating executable content Enabled 103 | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office applications from injecting code into other processes Enabled 104 | D3E037E1-3EB8-44C8-A917-57927947596D Block JavaScript or VBScript from launching downloaded executable content Enabled 105 | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block execution of potentially obfuscated scripts Enabled 106 | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from Office macro Enabled 107 | 01443614-cd74-433a-b99e-2ecdc07bfc25 Block executable files from running unless they meet a prevalence, age, or trusted list criteria Disabled 108 | c1db55ab-c21a-4637-bb3f-a12568109d35 Use advanced protection against ransomware Disabled 109 | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe) Disabled 110 | d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands AuditMode 111 | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB AuditMode 112 | ``` 113 | -------------------------------------------------------------------------------- /Remove-all-ProcessMitigations.ps1: -------------------------------------------------------------------------------- 1 | # Check if Admin-Privileges are available 2 | function Test-IsAdmin { 3 | ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") 4 | } 5 | 6 | # get SeTakeOwnership, SeBackup and SeRestore privileges, needs Admin privilege 7 | function Get-SeTakeOwnershipPermissions { 8 | $import = '[DllImport("ntdll.dll")] public static extern int RtlAdjustPrivilege(ulong a, bool b, bool c, ref bool d);' 9 | $ntdll = Add-Type -Member $import -Name NtDll -PassThru 10 | $privileges = @{ SeTakeOwnership = 9; SeBackup = 17; SeRestore = 18 } 11 | foreach ($i in $privileges.Values) { $null = $ntdll::RtlAdjustPrivilege($i, 1, 0, [ref]0) } 12 | } 13 | 14 | # Reset Permissions of a Registry Key (recursive), Prerequsite: needs SeTakeOwnership Privileges! 15 | # Example: Reset-RegistryKeyPermissions "HKLM" "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\demo.exe" 16 | function Reset-RegistryKeyPermissions { 17 | # Default SID = Administrators, Recursive default true 18 | param($rootKey, $key, [System.Security.Principal.SecurityIdentifier]$sid = 'S-1-5-32-545', $recurse = $true) 19 | 20 | switch -regex ($rootKey) { 21 | 'HKCU|HKEY_CURRENT_USER' { $rootKey = 'CurrentUser' } 22 | 'HKLM|HKEY_LOCAL_MACHINE' { $rootKey = 'LocalMachine' } 23 | 'HKCR|HKEY_CLASSES_ROOT' { $rootKey = 'ClassesRoot' } 24 | 'HKCC|HKEY_CURRENT_CONFIG' { $rootKey = 'CurrentConfig' } 25 | 'HKU|HKEY_USERS' { $rootKey = 'Users' } 26 | } 27 | 28 | function Take-KeyPermissions { 29 | param($rootKey, $key, $sid, $recurse, $recurseLevel = 0) 30 | 31 | ### Step 2 - get ownerships of key - it works only for current key 32 | $regKey = [Microsoft.Win32.Registry]::$rootKey.OpenSubKey($key, 'ReadWriteSubTree', 'TakeOwnership') 33 | $acl = New-Object System.Security.AccessControl.RegistrySecurity 34 | $acl.SetOwner($sid) 35 | $regKey.SetAccessControl($acl) 36 | 37 | ### Step 3 - enable inheritance of permissions (not ownership) for current key from parent 38 | $acl.SetAccessRuleProtection($false, $false) 39 | $regKey.SetAccessControl($acl) 40 | 41 | ### Step 4 - recursively repeat steps for subkeys 42 | if ($recurse) { 43 | foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) { 44 | Take-KeyPermissions $rootKey ($key+'\'+$subKey) $sid $recurse ($recurseLevel+1) 45 | } 46 | } 47 | } 48 | Take-KeyPermissions $rootKey $key $sid $recurse 49 | } 50 | 51 | # Delete all ExploitGuard ProcessMitigations 52 | function Remove-All-ProcessMitigations { 53 | 54 | if (!(Test-IsAdmin)){ throw "ERROR: No Administrator-Privileges detected!"; return } 55 | Get-SeTakeOwnershipPermissions 56 | 57 | Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object { 58 | $MitigationItem = $_; 59 | $MitigationItemName = $MitigationItem.PSChildName 60 | 61 | # Some Entries are owned by TrustedInstaller and not modifyable, Reset-Permission takes ownership and enables inheritance 62 | Reset-RegistryKeyPermissions "HKLM" "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$MitigationItemName" 63 | 64 | Try { 65 | if ($MitigationItem.GetValue("MitigationOptions")) 66 | { Write-Host "Removing MitigationOptions for: " $MitigationItemName 67 | Remove-ItemProperty -Path $MitigationItem.PSPath -Name "MitigationOptions" -ErrorAction Stop; 68 | } 69 | if ($MitigationItem.GetValue("MitigationAuditOptions")) 70 | { Write-Host "Removing MitigationAuditOptions for: " $MitigationItemName 71 | Remove-ItemProperty -Path $MitigationItem.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop; 72 | } 73 | if ($MitigationItem.GetValue("UseFilter")) # Mitigation with FilterFullPath 74 | { Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object { 75 | $FullPathItem = $_ 76 | if ($FullPathItem.GetValue("FilterFullPath")) { 77 | Write-Host "Removing FullPathEntry: " $MitigationItemName "-" $FullPathItem.GetValue("FilterFullPath") 78 | Remove-Item -Path $FullPathItem.PSPath -ErrorAction Stop 79 | } 80 | } 81 | Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop 82 | } 83 | if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) 84 | { Write-Host "Removing empty Entry: " $MitigationItemName 85 | Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop 86 | } 87 | } Catch { 88 | Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" 89 | } 90 | } 91 | } 92 | 93 | 94 | Remove-All-ProcessMitigations 95 | -------------------------------------------------------------------------------- /Windows10-v1709_ExploitGuard-DefaultSettings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /Windows10-v1709_ExploitGuard-Security-Baseline.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | -------------------------------------------------------------------------------- /Windows10-v1803_ExploitGuard-DefaultSettings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /Windows10-v1803_ExploitGuard-Security-Baseline.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | -------------------------------------------------------------------------------- /Windows10-v1809_ExploitGuard-DefaultSettings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | -------------------------------------------------------------------------------- /Windows10-v1809_ExploitGuard-Security-Baseline.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | -------------------------------------------------------------------------------- /Windows10-v1903_ExploitGuard-DefaultSettings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /Windows10-v1903_ExploitGuard-Security-Baseline.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | -------------------------------------------------------------------------------- /Windows10-v1909_ExploitGuard-DefaultSettings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | -------------------------------------------------------------------------------- /Windows10-v1909_ExploitGuard-DefaultSettings_Without-HyperV.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /Windows10-v1909_ExploitGuard-Security-Baseline.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | -------------------------------------------------------------------------------- /Windows10-v2004_ExploitGuard-Security-Baseline.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | -------------------------------------------------------------------------------- /Windows10-v2009_ExploitGuard-DefaultSettings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | -------------------------------------------------------------------------------- /Windows10-v2009_ExploitGuard-DefaultSettings_Without-HyperV.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /Windows10-v2009_ExploitGuard-Security-Baseline.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | -------------------------------------------------------------------------------- /Windows10-v2104_ExploitGuard-Security-Baseline.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | -------------------------------------------------------------------------------- /Windows10_ExploitGuard-Config.ps1: -------------------------------------------------------------------------------- 1 | $WindowsVersion = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\" -Name CurrentVersion).CurrentVersion 2 | $WindowsRelease = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\" -Name ReleaseID).ReleaseId 3 | 4 | if ($WindowsVersion -ne "6.3") { throw "Exploit-Guard Configuration only supported on Windows 10, but Version is $WindowsVersion" } 5 | if ($WindowsRelease -lt 1709) { throw "Exploit-Guard Configuration only supported on Windows 10 Release 1709 and higher, but Release is $WindowsRelease" } 6 | 7 | 8 | Write-Host "Removing all Process Mitigations" 9 | Write-Host "---------------------------------------------------------------------" 10 | Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass 11 | .\Remove-all-ProcessMitigations.ps1 12 | 13 | Write-Host "---------------------------------------------------------------------" 14 | Write-Host "Resetting ExploitGuard System-Settings" 15 | Set-ProcessMitigation -System -Reset 16 | 17 | $XMLConfig = ".\Windows10-v" + $WindowsRelease + "_ExploitGuard-DefaultSettings.xml" 18 | if (Test-Path $XMLConfig) { 19 | Write-Host "Applying $XMLConfig" 20 | Set-ProcessMitigation -PolicyFilePath $XMLConfig 21 | } else { Write-Host "ERROR: Config-File $XMLConfig for Windows 10 Release $WindowsRelease is missing!" } 22 | 23 | $XMLConfig = ".\Windows10-v" + $WindowsRelease + "_ExploitGuard-Security-Baseline.xml" 24 | if (Test-Path $XMLConfig) { 25 | Write-Host "Applying $XMLConfig" 26 | Set-ProcessMitigation -PolicyFilePath $XMLConfig 27 | } else { Write-Host "ERROR: Config-File $XMLConfig for Windows 10 Release $WindowsRelease is missing!" } 28 | 29 | --------------------------------------------------------------------------------