Skip to content
/ MDE_Enum Public

comprehensive .NET tool designed to extract and display detailed information about Windows Defender exclusions and Attack Surface Reduction (ASR) rules without Admin privileges

License

MIT license
190 stars 16 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xsp-SRD/MDE_Enum

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
Properties
Properties
 
 
App.config
App.config
 
 
LICENSE
LICENSE
 
 
MDE_Enum.csproj
MDE_Enum.csproj
 
 
Program.cs
Program.cs
 
 
README.md
README.md
 
 
funcs.cs
funcs.cs
 
 

Repository files navigation

MDE_Enum

MDE_Enum is a comprehensive .NET tool designed to extract and display detailed information about Windows Defender exclusions and Attack Surface Reduction (ASR) rules. It is capable of querying both local and remote systems effectively, even from a low-user context, making it a versatile tool for system administrators and security professionals.

Features

  • Local and Remote Query Support: Seamlessly query Windows Defender settings on both local and remote machines.
  • User-Context: Operates efficiently from a low-user context, eliminating the need for administrative permissions.
  • Windows Defender Exclusions: Retrieve and list all exclusion paths configured in Windows Defender.
  • Attack Surface Reduction (ASR) Rules: Enumerate ASR rules, displaying both the IDs and their corresponding names for easy identification.
  • Triggered ASR Events: Extract and list all triggered ASR events to monitor system security activities.
  • Detailed Output: Presents information in a clear, tabulated format for easy reading and analysis.

Usage

Windows Defender exclusion paths

This feature extracts the values from Windows Event ID 5007 logs. The tool uses regex pattern matching to accurately extract these values from the event description text.

  1. Enumerate exclusion paths locally
MDE_Enum /local /paths

MDE_Enum /local /paths /access (check if current user has write access)
  1. Enumerate exclusion paths on remote computers
MDE_Enum <remoteComputer> <username> <password> <domain> /paths

Triggered ASR Rules

This feature extracts the values from Windows Event ID 1121 logs. The tool uses regex pattern matching to accurately extract these values from the event description text.

  1. Enumerate logged ASR rules locally
MDE_Enum /local /asr
  1. Enumerate logged ASR rules on remote computers
MDE_Enum <remoteComputer> <username> <password> <domain> /asr

Enumerate ASR Rules

This feature extracts the Attack Surface Reduction (ASR) rules from the MSFT_MpPreference WMI class and provides a comprehensive status of the rules along with their corresponding names.

  1. Enumerate the rules locally
MDE_Enum /local /asr /alt
  1. Enumerate the rules on remote computers.
MDE_Enum <remoteComputer> <domain> <username> <password> /asr /alt

Acknowledgements

About

comprehensive .NET tool designed to extract and display detailed information about Windows Defender exclusions and Attack Surface Reduction (ASR) rules without Admin privileges

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

190 stars

Watchers

4 watching

Forks

16 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages