SecurityPosture.ps1
|
<#PSScriptInfo .VERSION 0.9 .GUID db087c94-c946-450f-81a6-568db251c536 .AUTHOR @0fflineDocs .COMPANYNAME .COPYRIGHT .TAGS Device Security, Device Management .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES 0.9 - Added Attack Surface Reduction Rules, AppLocker, Application Control. .PRIVATEDATA #> <# .DESCRIPTION Security Posture is a powershell script for detecting status of different security related device features related to Microsoft 365 on Windows 10. Currently the script detects the status of: Operating System TPM Bitlocker UEFI SecureBoot Defender Cloud Protection Service (MAPS for Defender) Block at first Sight Defender for Endpoint Application Guard Windows Sandbox Credential Guard Device Guard Attack Surface Reduction Rules Controlled Folder Access AppLocker Application Control Each area listed above can be called as individual functions or every function in the script can be called utilizing the -All switch. The script will write entries to a log file residing at the client (C:\Windows\Temp\Client-SecurityPosture.log) which preferably is read using CMTrace or OneTrace. .EXAMPLE Query using indvidual switches: SecurityPosture -OS -TPMStatus -Bitlocker -UEFISECBOOT -Defender -DefenderforEndpoint -MAPS -ApplicationGuard -Sandbox -CredentialGuardPreReq -CredentialGuard -DeviceGuard -AttackSurfaceReduction -ControlledFolderAccess Query every function using the -All switch: SecurityPosture -All Query using functions: Get-BitLocker (returns information about Bitlocker in the PC) Get-OperatingSystem (returns the current PCs OS-Edition, Architecture, Version, and Buildnumber) #> [cmdletbinding( DefaultParameterSetName = 'Security' )] param( [switch]$SecPos, [switch]$Help, [Switch]$All, [switch]$OS, [switch]$TPMStatus, [switch]$Bitlocker, [switch]$UEFISECBOOT, [switch]$Defender, [switch]$DefenderforEndpoint, [switch]$MAPS, [switch]$BAFS, [switch]$ApplicationGuard, [switch]$Sandbox, [switch]$CredentialGuardPreReq, [switch]$CredentialGuard, [switch]$DeviceGuard, [switch]$AttackSurfaceReduction, [switch]$ControlledFolderAccess, [switch]$AppLocker, [switch]$ApplicationControl ) #Global Variables $ScriptVersion = "0.9" $clientPath = "C:\Windows\Temp" $PC = $env:computername $script:logfile = "$clientPath\Client-SecurityPosture.log" #Check for Elevevation If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` [Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Warning "This script needs to be run from an elevated PShell prompt.`nWould you kindly restart Powershell and launch it as Administrator before running the script again." Write-Warning "Aborting Security Posture..." Break } ############################################## <# FUNCTIONS #> #Display descriptive information about the script and it's environment Function SecPos { Clear-Host Write-Output "----------------------------------------------" Write-Output " Script: Security Posture" Write-Output "----------------------------------------------" Write-Output " Version: $ScriptVersion" Write-Output "----------------------------------------------" Write-Output " Logfiles will be genereated to:" Write-Output " $script:logfile" Write-Output "----------------------------------------------" Write-Output " Help: 'Securityposture -Help'" Write-Output "----------------------------------------------" Write-Output " @0fflineDocs" Write-Output "----------------------------------------------" } Function Help { Write-Host "[HELP]" -ForegroundColor Green Write-Host "The script will write entries to a log file residing at the client at this location: (C:\Windows\Temp\Client-SecurityPosture.log)" `n -ForegroundColor White Write-Host "You can query this script using indvidual switches and choose which ones you want to use:" -ForegroundColor Yellow Write-Host "SecurityPosture -OS -TPMStatus -Bitlocker -UEFISECBOOT -Defender -DefenderforEndpoint -MAPS -BAFS -ApplicationGuard -Sandbox -CredentialGuardPreReq -CredentialGuard -DeviceGuard -AttackSurfaceReduction -ControlledFolderAccess" `n -ForegroundColor White Write-Host "You can also query every switch in this script using a global switch which includes all available options." -ForegroundColor Yellow Write-Host "SecurityPosture -All" `n -ForegroundColor White Write-Host "Each switch can also be queried separately as a function:" -ForegroundColor Yellow Write-Host "Get-BitLocker (returns information about Bitlocker in the PC)" -ForegroundColor White Write-Host "Get-OperatingSystem (returns the current PCs OS-Edition, Architecture, Version, and Buildnumber)" `n -ForegroundColor White } function Write-LogEntry { [cmdletBinding()] param ( [ValidateSet("Information", "Warning", "Error", "Success")] $Type = "Information", [parameter(Mandatory = $true)] $Message ) switch ($Type) { 'Error' { $severity = 1 $fgColor = "Red" break; } 'Warning' { $severity = 3 $fgColor = "Yellow" break; } 'Information' { $severity = 6 $fgColor = "White" break; } 'Success' { $severity = 6 $fgColor = "Green" break; } } $dateTime = New-Object -ComObject WbemScripting.SWbemDateTime $dateTime.SetVarDate($(Get-Date)) $utcValue = $dateTime.Value $utcOffset = $utcValue.Substring(21, $utcValue.Length - 21) $scriptName = (Get-PSCallStack)[1] $logLine = ` "<![LOG[$message]LOG]!>" + ` "<time=`"$(Get-Date -Format HH:mm:ss.fff)$($utcOffset)`" " + ` "date=`"$(Get-Date -Format M-d-yyyy)`" " + ` "component=`"$($scriptName.Command)`" " + ` "context=`"$([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)`" " + ` "type=`"$severity`" " + ` "thread=`"$PID`" " + ` "file=`"$($scriptName.ScriptName)`">"; $logLine | Out-File -Append -Encoding utf8 -FilePath $logFile -Force Write-Host $Message -ForegroundColor $fgColor } Function Get-OperatingSystem(){ <# .DESCRIPTION Checks the current PCs Operating System Edition, Architecture, Version, and Buildnumber. .EXAMPLE Get-OperatingSystem #> #Pre-Req for Get-CimInstance Get-Service -Name WinRM | Start-Service #Variable $win32os = Get-CimInstance Win32_OperatingSystem -computername $PC | Select-Object Caption, OSArchitecture, Version, Buildnumber, OperatingSystemSKU -ErrorAction silentlycontinue try { Write-LogEntry -Message "[Operating System]" $WindowsEdition = $win32os.Caption $OSArchitecture = $win32os.OSArchitecture $WindowsBuild = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion"-ErrorAction silentlycontinue).ReleaseId $BuildNumber = $win32os.Buildnumber Write-LogEntry -Message "OS-Edition is: $WindowsEdition" Write-LogEntry -Message "OS-Architecture is: $OSArchitecture" Write-LogEntry -Message "OS-Version is: $WindowsBuild" Write-LogEntry -Message "OS-Buildnumber is: $BuildNumber" } catch { Write-Error $_.Exception break } } Function Get-TPMStatus(){ <# .DESCRIPTION Checks if the TPM is enabled and configured correctly in the device. .EXAMPLE Get-TPMStatus #> #Variable $TPMStatus = (Get-TPM) try { Write-LogEntry -Message "[TPM]" if ($TPMStatus.TPMEnabled -contains "True") { Write-LogEntry -Type Success -Message "TPM-chip is enabled in $PC" } else { Write-LogEntry -Message "TPM is not enabled in $PC" } if ($TPMStatus.TPMActivated-contains "True") { Write-LogEntry -Type Success -Message "TPM-chip is activated in $PC" } else { Write-LogEntry -Message "TPM is not activated in $PC" } } catch [System.Exception] { Write-LogEntry -Message "Failed to check status of $TPM" } catch { Write-Error $_.Exception break } } Function Get-Bitlocker(){ <# .DESCRIPTION Get the BitlockerVolume and checks Volume status, Encryption method & percentage, mountpoint, the type of volume, the protection status of Bitlocker and it's Keyprotector. .EXAMPLE Get-Bitlocker #> $BitlockerStatus = Get-BitLockerVolume | Select-Object volumestatus,encryptionmethod,encryptionpercentage,mountpoint,VolumeType,ProtectionStatus,Keyprotector | Where-Object { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" } -erroraction silentlycontinue try { Write-LogEntry -Message "[Bitlocker]" switch ($BitlockerStatus.encryptionmethod) { Aes128 { $true } Aes256 { $true } Aes128Diffuser { $true } Aes256Diffuser { $true } XtsAes128 { $true } XtsAes256 { $true } Default { $false } } try { if ($BitlockerStatus.ProtectionStatus -eq "On") { Write-LogEntry -Type Success -Message "Bitlocker is enabled and configured correctly in $PC" Write-LogEntry -Message "Volumestatus: $($BitlockerStatus.Volumestatus)" Write-LogEntry -Message "Encryption Method: $($BitlockerStatus.Encryptionmethod)" Write-LogEntry -Message "Encryption Percentage: $($BitlockerStatus.EncryptionPercentage)" Write-LogEntry -Message "Mountpoint: $($BitlockerStatus.MountPoint)" Write-LogEntry -Message "Volumetype: $($BitlockerStatus.VolumeType)" Write-LogEntry -Message "Protectionstatus: $($BitlockerStatus.ProtectionStatus)" Write-LogEntry -Message "KeyProtector: $($BitlockerStatus.Keyprotector)" } else { Write-LogEntry -Type Warning -Message "Bitlocker is not enabled and not configured correctly in $PC" } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $Bitlocker" } } catch { Write-Error $_.Exception break } } Function Get-UefiSecureBoot(){ <# .DESCRIPTION Checks if Secure Boot and UEFI is enabled and configured correctly in the device (based on powershell-command). .EXAMPLE Get-UefiSecureBoot #> #Variable $UEFISECBOOTStatus = Confirm-SecureBootUEFI -ErrorAction SilentlyContinue try { Write-LogEntry -Message "[UEFI & SecureBoot]" if ($UEFISECBOOTStatus -eq "True") { Write-LogEntry -Type Success -Message "UEFI & Secureboot enabled and configured correctly." } else { Write-LogEntry -Type Warning -Message "UEFI and Secure Boot is not enabled correctly, please check the BIOS configuration." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $UEFISECBOOT" } catch { Write-Error $_.Exception break } } Function Get-Defender(){ <# .DESCRIPTION Resolves status of Windows Defender (Defender Service, Antivirus, Antispyware, Realtime Protection, Tamper Protection, IOAV Protection, Network Protection, PUAProtection). (IOAV = IE/EDGE Downloads and Outlook Express Attachments initiated) .EXAMPLE Get-Defender #> #Variable $Current = Get-Location $p = Get-MpPreference $c = Get-MpComputerStatus $p = @($p) $Defenderstatus = ($p += $c) Set-Location $Current try { Write-LogEntry -Message "[Defender]" $Service = get-service -DisplayName "Microsoft Defender Antivirus Service" -ErrorAction SilentlyContinue if ($Service.Status -eq "Running") { Write-LogEntry -Type Success -Message "Microsoft Defender Antivirus Service is active and running in $PC" } else { Write-LogEntry -Type Warning -Message "Defender Service is not running." } if ($Defenderstatus.AntivirusEnabled -eq "True") { Write-LogEntry -Type Success -Message "Antivirus is enabled." } else { Write-LogEntry -Type Error -Message "Antivirus is disabled." } if ($Defenderstatus.AntispywareEnabled -eq "True") { Write-LogEntry -Type Success -Message "Antispyware is enabled." } else { Write-LogEntry -Type Warning -Message "Antispyware is disabled." } if ($Defenderstatus.RealTimeProtectionEnabled -eq "True") { Write-LogEntry -Type Success -Message "Real Time Protection is enabled." } else { Write-LogEntry -Type Warning -Message "Real Time Protection is disabled." } if ($Defenderstatus.IsTamperProtected -eq "True") { Write-LogEntry -Type Success -Message "Tamper Protection is enabled." } else { Write-LogEntry -Type Warning -Message "Tamper Protection is disabled." } if ($Defenderstatus.IoavProtectionEnabled -eq "True") { Write-LogEntry -Type Success -Message "IOAV Protection is enabled." } else { Write-LogEntry -Type Warning -Message "IOAV Protection is disabled." } if ($Defenderstatus.EnableNetworkProtection -eq "1") { Write-LogEntry -Type Success -Message "Network Protection is enabled." } else { Write-LogEntry -Type Warning -Message "Network Protection is disabled." } if ($Defenderstatus.PUAProtection -eq "2") { Write-LogEntry -Type Warning -Message "Potentionally Unwanted Application Protection is in Audit mode." } elseif ($Defenderstatus.PUAProtection -eq "1") { Write-LogEntry -Type Success -Message "Potentionally Unwanted Application Protection is enabled." } Else { Write-LogEntry -Type Warning -Message "Potentionally Unwanted Application Protection is disabled." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $Defender" } catch { Write-Error $_.Exception break } } Function Get-DefenderforEndpoint(){ <# .DESCRIPTION Checks Defender for Endpoint (formerly Defender ATP) service status. .EXAMPLE Get-DefenderforEndpoint #> #Variable $ATPStatus = get-service -ServiceName "Sense" -ErrorAction SilentlyContinue try { Write-LogEntry -Message "[Defender for Endpoint]" if ($ATPStatus.Status -eq "Running") { Write-Logentry -Type Success -Message "Defender for Endpoint Service is running." } else { Write-LogEntry -Type Warning -Message "Defender for Endpoint Service is not running." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $ATP" } catch { Write-Error $_.Exception break } } Function Get-MAPS(){ <# .DESCRIPTION Checks MAPS for status of cloud-delivered protection URL: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#validate-connections-between-your-network-and-the-cloud" .EXAMPLE Get-MAPS #> #Variable $Current = Get-Location $MAPS = Set-Location "C:\Program Files\Windows Defender\" $Test = (.\MpCmdRun.exe -validatemapsconnection) Set-Location $Current try { Write-LogEntry -Message "[MAPS - Cloud-delivered protection for Windows Defender]" If ($Test -eq "ValidateMapsConnection successfully established a connection to MAPS") { Write-LogEntry -Type Success -Message "ValidateMapsConnection successfully established a connection to MAPS. Cloud-delivered protection is enabled." } else { Write-LogEntry -Type Warning -Message "ValidateMapsConnection failed. Verify that you have enabled Cloud-delivered protection." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $MAPS" } catch { Write-Error $_.Exception break } } Function Get-BAFS(){ <# .DESCRIPTION Checks if 'Block at first Sight' is configured for Windows Defender Source: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide .EXAMPLE Get-BAFS #> #Variable $Current = Get-Location $p = Get-MpPreference $c = Get-MpComputerStatus $p = @($p) $Defenderstatus = ($p += $c) Set-Location $Current try { Write-LogEntry -Message "[Block at first sight for Windows Defender]" $p1 = ($Defenderstatus.DisableBlockAtFirstSeen -eq "0") $p2 = ($Defenderstatus.CloudBlockLevel -eq "High") $p3 = ($Defenderstatus.CloudExtendedTimeout -eq "50") $p4 = ($Defenderstatus.SubmitSamplesConsent -eq "Always") if ($p1 + $p2 + $p3 + $p4 -eq $True) { Write-LogEntry -Type Success -Message "Block at first sight is enabled and configured according to best practise." } else { Write-LogEntry -Type Warning -Message "Block at first sight is not configured for optimal security." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $BAFS" } catch { Write-Error $_.Exception break } } Function Get-ApplicationGuard(){ <# .DESCRIPTION Checks Application Guard-status .EXAMPLE Get-ApplicationGuard #> #Variable $ApplicationGuardStatus = Get-WindowsOptionalFeature -Online -Featurename Windows-Defender-ApplicationGuard -ErrorAction SilentlyContinue try { Write-LogEntry -Message "[Application Guard]" if ($ApplicationGuardStatus.State = "Enabled") { Write-Logentry -Type Success -Message "Windows Defender Application Guard is installed and enabled." } else { Write-LogEntry -Type Warning -Message "Windows Defender Application Guard is not enabled." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $ApplicationGuard" } catch { Write-Error $_.Exception break } } Function Get-Sandbox(){ <# .DESCRIPTION Checks if Sandbox is enabled and installed. .EXAMPLE Get-Sandbox #> #Variable $Sandboxstatus = Get-WindowsOptionalFeature -Online -Featurename Containers-DisposableClientVM -ErrorAction SilentlyContinue try { Write-LogEntry -Message "[Sandbox]" if ($Sandboxstatus.State = "Enabled") { Write-Logentry -Type Success -Message "Windows Sandbox is installed and enabled." } else { Write-LogEntry -Type Warning -Message "Windows Sandbox is not enabled." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $Sandbox" } catch { Write-Error $_.Exception break } } Function Get-CredentialGuardPreReq(){ <# .DESCRIPTION Checks status of pre-requesits for Credential Guard .EXAMPLE Get-CredentialGuardPreReq #> #Variable $CGPrereq = Get-WindowsOptionalFeature -Online -Featurename Microsoft-Hyper-V-All -ErrorAction SilentlyContinue try { Write-LogEntry -Message "[Credential Guard Pre-requisite]" $CGPrereq = Get-WindowsOptionalFeature -Online -Featurename Microsoft-Hyper-V-All -ErrorAction SilentlyContinue if ($CGPrereq.state = "Enabled") { Write-LogEntry -Type Success -Message "Credential Guard prerequisite Hyper V is installed and enabled." } else { Write-LogEntry -Type Warning -Message "Feature: Microsoft-Hyper-V-All is not installed/enabled." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $CredentialGuardPreReq" } catch { Write-Error $_.Exception break } } Function Get-CredentialGuard(){ <# .DESCRIPTION Checks status of Credential Guard .EXAMPLE Get-CredentialGuard #> #Variable $CredentialguardStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue try { Write-LogEntry -Message "[Credential Guard]" if ($CredentialGuardStatus.SecurityServicesRunning -like 1) { Write-Logentry -Type Success -Message "Credential Guard Services are running." } else { Write-LogEntry -Type Warning -Message "Credential Guard Services are not running." } if ($CredentialGuardStatus.SecurityServicesConfigured -like 1) { Write-Logentry -Type Success -Message "Credential Guard is configured." } else { Write-LogEntry -Type Warning -Message "Credential Guard is not configured." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $CredentialGuard" } catch { Write-Error $_.Exception break } } Function Get-DeviceGuard(){ <# .DESCRIPTION Checks status of Device Guard .EXAMPLE Get-DeviceGuard #> #Variables $DevGuardStatus = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue $DevGuardInfo = Get-Computerinfo | Select-Object -Property DeviceGuard* try { Write-LogEntry -Message "[Device Guard]" if ($DevGuardStatus.CodeIntegrityPolicyEnforcementStatus -like 1) { Write-Logentry -Type Success -Message "Device Guard Code Integrity Policy is activated and enforced." } else { Write-LogEntry -Type Warning -Message "Device Guard Code Integrity Policy is not activated." } if ($DevGuardStatus.SecurityServicesRunning -like 1) { Write-Logentry -Type Success -Message "Device Guard services are running." } else { Write-LogEntry -Type Warning -Message "Device Guard services are not running." } if ($DevGuardInfo.DeviceGuardCodeIntegrityPolicyEnforcementStatus -eq "AuditMode") { Write-LogEntry -Type Warning -Message "Device Guard Code Integrity is currently in Audit Mode." } else { } if ($DevGuardInfo.DeviceGuardSmartStatus -like 1) { Write-LogEntry -Type Success -Message "Device Guard Smart Status is running." } else { Write-LogEntry -Type Warning -Message "Device Guard Smart Status is not running." } if ($DevGuardInfo.DeviceGuardSecurityServicesRunning -like "CredentialGuard") { Write-LogEntry -Type Success -Message "Credential Guard is running." } else { Write-LogEntry -Type Warning -Message "Credential Guard is not running." } if ($DevGuardInfo.DeviceGuardSecurityServicesConfigured -like "CredentialGuard") { Write-LogEntry -Type Success -Message "Credential Guard is configured." } else { Write-LogEntry -Type Warning -Message "Credential Guard is not configured." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $DeviceGuard" } catch { Write-Error $_.Exception break } } Function Get-AttackSurfaceReduction(){ <# .DESCRIPTION Checks status of AttackSurfaceReduction .EXAMPLE Get-AttackSurfaceReduction #> #Variables $Current = Get-Location $RulesIds = Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids $RulesActions = Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions $counter = 0 $RulesIdsArray = @() $RulesIdsArray += $RulesIds Set-Location $Current try { Write-LogEntry -Message "[Attack Surface Reduction]" Write-Host "Attack Surface Reduction Rules are configured as follows:" ForEach ($j in $RulesIds) { ## Convert GUID into Rule Name If ($RulesIdsArray[$counter] -eq "D4F940AB-401B-4EFC-AADC-AD5F3C50688A"){$RuleName = "Block all Office applications from creating child processes"} ElseIf ($RulesIdsArray[$counter] -eq "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC"){$RuleName = "Block execution of potentially obfuscated scripts"} ElseIf ($RulesIdsArray[$counter] -eq "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B"){$RuleName = "Block Win32 API calls from Office macro"} ElseIf ($RulesIdsArray[$counter] -eq "3B576869-A4EC-4529-8536-B80A7769E899"){$RuleName = "Block Office applications from creating executable content"} ElseIf ($RulesIdsArray[$counter] -eq "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84"){$RuleName = "Block Office applications from injecting code into other processes"} ElseIf ($RulesIdsArray[$counter] -eq "D3E037E1-3EB8-44C8-A917-57927947596D"){$RuleName = "Block JavaScript or VBScript from launching downloaded executable content"} ElseIf ($RulesIdsArray[$counter] -eq "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550"){$RuleName = "Block executable content from email client and webmail"} ElseIf ($RulesIdsArray[$counter] -eq "01443614-cd74-433a-b99e-2ecdc07bfc25"){$RuleName = "Block executable files from running unless they meet a prevalence, age, or trusted list criteria"} ElseIf ($RulesIdsArray[$counter] -eq "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"){$RuleName = "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"} ElseIf ($RulesIdsArray[$counter] -eq "d1e49aac-8f56-4280-b9ba-993a6d77406c"){$RuleName = "Block process creations originating from PSExec and WMI commands"} ElseIf ($RulesIdsArray[$counter] -eq "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"){$RuleName = "Block untrusted and unsigned processes that run from USB"} ElseIf ($RulesIdsArray[$counter] -eq "26190899-1602-49e8-8b27-eb1d0a1ce869"){$RuleName = "Block Office communication applications from creating child processes"} ElseIf ($RulesIdsArray[$counter] -eq "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c"){$RuleName = "Block Adobe Reader from creating child processes"} ElseIf ($RulesIdsArray[$counter] -eq "e6db77e5-3df2-4cf1-b95a-636979351e5b"){$RuleName = "Block persistence through WMI event subscription"} ElseIf ($RulesIdsArray[$counter] -eq "c1db55ab-c21a-4637-bb3f-a12568109d35"){$RuleName = "Use advanced protection against ransomware"} ## Check the Action type If ($RulesActions[$counter] -eq 0){$RuleAction = "Disabled"} ElseIf ($RulesActions[$counter] -eq 1){$RuleAction = "Block"} ElseIf ($RulesActions[$counter] -eq 2){$RuleAction = "Audit"} ## Add Color to message based on Action type If ($RulesActions[$counter] -eq 1) {$FGColor = "Green"} ElseIf ($RulesActions[$counter] -eq 2) {$FGColor = "Yellow"} ElseIf ($RulesActions[$counter] -eq 0) {$FGColor = "Red"} ## Output Rule Id, Name and Action #Write-Host "Rule:" $RuleName Write-LogEntry -Message "Rule: $RuleName Action: $RuleAction" Write-Host "Action:" "[$RuleAction]" -ForegroundColor $FGColor $counter++ } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $AttackSurfaceReduction" } catch { Write-Error $_.Exception break } } Function Get-ControlledFolderAccess(){ <# .DESCRIPTION Checks status of Controlled Folder Access .EXAMPLE Get-ControlledFolderAccess #> #Variable $Current = Get-Location $p = Get-MpPreference -ErrorAction SilentlyContinue $c = Get-MpComputerStatus -ErrorAction SilentlyContinue $p = @($p) $CFAstatus = ($p += $c) Set-Location $Current try { Write-LogEntry -Message "[Controlled Folder Access]" if ($CFAstatus.EnableControlledFolderAccess -eq "2") { Write-LogEntry -Type Warning -Message "Controlled Folder Access is enabled and in audit mode." } elseif ($CFAstatus.EnableControlledFolderAccess -eq "1") { Write-LogEntry -Type Success -Message "Controlled Folder Access is configured and enforced." } else { Write-LogEntry -Type Warning -Message "Controlled Folder Access is not configured." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of $ControlledFolderAccess" } catch { Write-Error $_.Exception break } } Function Get-Applocker(){ <# .DESCRIPTION Counts and presents amount of AppLocker events in client, based on Get-AppLockerFileInformation .EXAMPLE Get-Applocker #> #Variable $ApplockerAudited = (Get-AppLockerFileInformation -EventLog -EventType Audited).count $ApplockerAllowed = (Get-AppLockerFileInformation -eventlog -EventType Allow).count $ApplockerDenied = (Get-AppLockerFileInformation -eventlog -EventType Denied).count try { Write-LogEntry -Message "[AppLocker]" Write-LogEntry -Message "Audited AppLocker Events: $AppLockerAudited" Write-LogEntry -Message "Allowed AppLocker Events: $AppLockerAllowed" Write-LogEntry -Message "Denied AppLocker Events: $AppLockerDenied" } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of AppLocker" } catch { Write-Error $_.Exception break } } Function Get-ApplicationControl(){ <# .DESCRIPTION Checks status of Application Control based on events in Microsoft-Windows-CodeIntegrity/Operational .EXAMPLE Get-ApplicationControl #> #Variable $ApplicationControlStatus = (Get-Winevent Microsoft-Windows-CodeIntegrity/Operational) try { Write-LogEntry -Message "[Application Control]" if ($ApplicationControlStatus.id -eq "3076") { Write-LogEntry -Type Warning -Message "Application Control is enabled and in audit mode." } elseif ($ApplicationControlStatus.id -eq "3077") { Write-LogEntry -Type Success -Message "Application Control is configured and enforced." } else { Write-LogEntry -Type Warning -Message "Application Control is not configured." } } catch [System.Exception] { Write-LogEntry -Type Error -Message "Failed to check status of Application Control" } catch { Write-Error $_.Exception break } } <################ SWITCHES #################> if($SecPos){ SecPos } if($Help){ Help } if($OS){ Get-OperatingSystem } if ($TPM) { Get-TPMStatus } if ($Bitlocker) { Get-Bitlocker } if ($UEFISECBOOT) { Get-UefiSecureBoot } if ($Defender) { Get-Defender } if ($DefenderforEndpoint) { Get-DefenderforEndpoint } if ($MAPS) { Get-MAPS } if ($BAFS) { Get-BAFS } if($ApplicationGuard){ Get-ApplicationGuard } if($Sandbox){ Get-Sandbox } if($CredentialGuardPreReq){ Get-CredentialGuardPreReq } if ($CredentialGuard) { Get-CredentialGuard } if ($DeviceGuard) { Get-DeviceGuard } if ($AttackSurfaceReduction) { Get-AttackSurfaceReduction } if ($ControlledFolderAccess) { Get-ControlledFolderAccess } if ($AppLocker) { Get-AppLocker } if ($ApplicationControl) { Get-ApplicationControl } if ($All) { SecPos Get-OperatingSystem Get-TPMStatus Get-Bitlocker Get-UefiSecureBoot Get-Defender Get-DefenderforEndpoint Get-MAPS Get-BAFS Get-ApplicationGuard Get-Sandbox Get-CredentialGuardPreReq Get-CredentialGuard Get-DeviceGuard Get-AttackSurfaceReduction Get-ControlledFolderAccess Get-AppLocker Get-ApplicationControl } |