LuemmelSec · July 6, 2025 07:47
diff --git a/Resolve_ASR_Rule_IDs.ps1 b/Resolve_ASR_Rule_IDs.ps1
 # 1. Fetch and extract the ASR rule table block
 $asrUrl = "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#asr-rule-to-guid-matrix"
 $page = Invoke-WebRequest -Uri $asrUrl -UseBasicParsing

 # Extract the table HTML after the ASR heading
 $tableBlock = [regex]::Match($page.Content, '(?is)<h2 id="asr-rule-to-guid-matrix">.*?<table.*?>(.*?)</table>').Groups[1].Value

 # 2. Parse each table row (skip header, only rows with two <td>s)
 $asrRuleMap = @{}
 foreach ($row in [regex]::Matches($tableBlock, '<tr>\s*<td.*?</td>\s*<td.*?</td>\s*</tr>', 'IgnoreCase')) {
    $cols = [regex]::Matches($row.Value, '<td.*?>(.*?)</td>', 'IgnoreCase')
    if ($cols.Count -ge 2) {
        $ruleName = ($cols[0].Groups[1].Value -replace '<.*?>', '').Trim()
        $ruleGuid = ($cols[1].Groups[1].Value -replace '<.*?>', '').Trim()
        if ($ruleGuid -match '^[0-9a-f-]{36}$') {
            $asrRuleMap[$ruleGuid] = $ruleName
        }
    }
 }

 # 3. Get local ASR rule GUIDs (requires at least Windows 10 and Defender)
 $localGuids = Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids

 # 4. Output correlated local rules with their friendly names
 Write-Host "`nLocal ASR rules and their names:`n" -ForegroundColor Cyan
 foreach ($guid in $localGuids) {
    if ($asrRuleMap.ContainsKey($guid)) {
        Write-Host "$guid : $($asrRuleMap[$guid])" -ForegroundColor Green
    } else {
        Write-Host "$guid : (Not found in MS reference)" -ForegroundColor Yellow
    }
 }
	# 1. Fetch and extract the ASR rule table block
	$asrUrl = "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#asr-rule-to-guid-matrix"
	$page = Invoke-WebRequest -Uri $asrUrl -UseBasicParsing

	# Extract the table HTML after the ASR heading
	$tableBlock = [regex]::Match($page.Content, '(?is)<h2 id="asr-rule-to-guid-matrix">.?<table.?>(.*?)</table>').Groups[1].Value

	# 2. Parse each table row (skip header, only rows with two <td>s)
	$asrRuleMap = @{}
	foreach ($row in [regex]::Matches($tableBlock, '<tr>\s<td.?</td>\s<td.?</td>\s*</tr>', 'IgnoreCase')) {
	$cols = [regex]::Matches($row.Value, '<td.?>(.?)</td>', 'IgnoreCase')
	if ($cols.Count -ge 2) {
	$ruleName = ($cols[0].Groups[1].Value -replace '<.*?>', '').Trim()
	$ruleGuid = ($cols[1].Groups[1].Value -replace '<.*?>', '').Trim()
	if ($ruleGuid -match '^[0-9a-f-]{36}$') {
	$asrRuleMap[$ruleGuid] = $ruleName
	}
	}
	}

	# 3. Get local ASR rule GUIDs (requires at least Windows 10 and Defender)
	$localGuids = Get-MpPreference \| Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids

	# 4. Output correlated local rules with their friendly names
	Write-Host "`nLocal ASR rules and their names:`n" -ForegroundColor Cyan
	foreach ($guid in $localGuids) {
	if ($asrRuleMap.ContainsKey($guid)) {
	Write-Host "$guid : $($asrRuleMap[$guid])" -ForegroundColor Green
	} else {
	Write-Host "$guid : (Not found in MS reference)" -ForegroundColor Yellow
	}
	}