Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create Get-DeletedShortcutInfo #46

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Create Get-DeletedShortcutInfo #46

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions ASR_scripts/Get-DeletedShortcutInfo
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# For MDE P1 and Windows E3 customers that do not have access to "Advanced Hunting" (MDE's Kusto Query Language (KQL)).
# This powershell script will create a list of shortcuts that have been remediated by ASR Rules - “Block Win32 API calls from Office macro” - block mode.

# What it does?
# Deploy the Powershell script below to all the clients.
# Replace line 16 $CsvPath = '\\FileServerName\ShareName\masterfile.csv', with the actual FileServerName, and Sharename.
# It will go ahead and dump the path/exe information from Event ID 1121, Windows Defender Operational event log and file description and remove duplicates.
#requires -psedition Desktop

param
(
$LogName = 'Microsoft-Windows-Windows Defender/Operational',
$ProviderName = 'Microsoft-Windows-Windows Defender',
$Id = 1121,
$Level = 3, #[System.Diagnostics.Eventing.Reader.StandardEventLevel]::Warning
$CsvPath = '\\FileServerName\ShareName\masterfile.csv'
)

function Get-ShortcutName
{
param
(
$Path
)

$file = Get-Item -Path $Path
$shortcutName = $file.VersionInfo.FileDescription
if ($file.Extension -eq 'library.ms')
{
$shortcutName = $libraryMapper[$file.Name]
}

return $shortcutName
}

$libraryApp = @{
LogName = $LogName
ProviderName = $ProviderName
Id = $Id
Level = $Level
}

$libraryMapper = @{
'Camera Roll.library-ms' = 'Camera Roll'
'Documents.library-ms' = 'Documents'
'Music.library-ms' = 'Music'
'Pictures.library-ms' = 'Pictures'
'Saved Pictures.library-ms' = 'Saved Pictures'
'Videos.library-ms' = 'Videos'
}

$result = [System.Collections.Generic.List[psobject]]::new()

foreach ($e in (Get-WinEvent -FilterHashtable $libraryApp))
{
[xml]$eventAsXml = $e.ToXml()
$processPath = $eventAsXml.Event.EventData.Data.Where({ $_.Name -eq 'Path' }).'#text'
$targetCommandline = $eventAsXml.Event.EventData.Data.Where({ $_.Name -eq 'Target Commandline' }).'#text'
$result.Add([PSCustomObject]@{
'Target File' = $processPath
'Shortcut Path' = $targetCommandline
'Shortcut Name' = (Get-ShortcutName -Path $processPath)
})
}

Write-Host -MessageData "Exporting to CSV ($CsvPath)"
$result | Export-Csv -Path $CsvPath -Append -NoTypeInformation