ASR Medkit

NOTE

After analysing Microsoft’s blog post Recovering from Attack Surface Reduction rule shortcut deletions I’ve decided to pitch in and make the application list dynamic.

Note Tonight (16/01/23) Microsoft has updated their V1.0 script to V1.1 which uses Shadow Copies. Since i don’t use Shadow Copies and have all restore points disabled my script is still based on Version 1.0

How is it different?

The main difference is on the Programs array which is not static but recovered from my public repo. The file is a in JSON format and the first row controls the last time the file was updated (to allows us to dynamically re-run the FixShortcuts file.) This is leveraging Intune Win32App mechanism of trying to detect the app every 8 hours.

How the detection works?

The detection is based on reading only the first row of the AppList json file and comparing with the latest row of ShortcutRepairs.log file created under %temp% and compared them. If the entry from the JSON file is newer the app is not detected and forces the script to run again and re-check all the shortcuts (old and newly added).

How to install?

You can download the .intunewinfile from here and just use %windir%\sysnative\windowspowershell\v1.0\powershell.exe -executionPolicy bypass -windowstyle hidden -file .\FixShortcuts.ps1 -url https://raw.githubusercontent.com/schenardie/ASRmageddon/main/V1/AppList.json as Install command. As detection you can use the following file

How to contribute?

If you would like to contribute with my list, please reach out to me via Twitter, E-mail or feel free to Fork and add a Pull Request.

Thanks for reading and hope that this helps you with getting all your user shortcuts back.

Twitter Facebook LinkedIn

How is it different?

How the detection works?

How to install?

How to contribute?

Comments