feat(code-execution-restriction): ✨ Added code execution restriction functions

itpropro · itpropro · commit 98a776ce098e · 2022-11-24T16:19:56.000+01:00
diff --git a/src/PSMDE.psd1 b/src/PSMDE.psd1
@@ -12,7 +12,7 @@
   RootModule        = 'PSMDE.psm1'
 
   # Version number of this module.
-  ModuleVersion     = '0.20.0'
+  ModuleVersion     = '0.19.0'
 
   # Supported PSEditions
   # CompatiblePSEditions = @()
@@ -72,6 +72,10 @@
   FunctionsToExport = @(
     'Add-MdeMachineTag'
     'Clear-MdeAuthorizationInfo'
+    'Disable-MdeMachineCodeExecutionRestriction'
+    'Disable-MdeMachineIsolation'
+    'Enable-MdeMachineCodeExecutionRestriction'
+    'Enable-MdeMachineIsolation'
     'Get-MdeAuthorizationInfo'
     'Get-MdeBaselineComplianceAssessmentByMachine'
     'Get-MdeBaselineComplianceAssessmentExport'
@@ -80,13 +84,15 @@
     'Get-MdeConfigurationScore'
     'Get-MdeExposureScore'
     'Get-MdeExposureScoreByMachineGroups'
+    'Get-MdeLiveResponseResult'
     'Get-MdeMachine'
     'Get-MdeMachineAction'
     'Get-MdeMachineAlerts'
     'Get-MdeMachineByFilter'
     'Get-MdeMachineByIp'
     'Get-MdeMachineByTag'
     'Get-MdeMachineInvestigationPackage'
+    'Get-MdeMachineInvestigationPackageUri'
     'Get-MdeMachineLogonUsers'
     'Get-MdeMachineMissingKbs'
     'Get-MdeMachineRecommendations'
diff --git a/src/public/Disable-MdeMachineCodeExecutionRestriction.ps1 b/src/public/Disable-MdeMachineCodeExecutionRestriction.ps1
@@ -0,0 +1,44 @@
+<#
+.SYNOPSIS
+  Restrict execution of all applications on the device except a predefined set.
+
+.DESCRIPTION
+  Restrict execution of all applications on the device except a predefined set.
+
+.NOTES
+  Author: Jan-Henrik Damaschke
+
+.LINK
+  https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/restrict-code-execution?view=o365-worldwide
+
+.PARAMETER id
+  Optional. Specifies the id of the target MDE recommendation.
+
+.EXAMPLE
+  Disable-MdeMachineCodeExecutionRestriction -id "<GUID>" -comment "Your comment"
+
+.ROLE
+  @(@{permission = 'Machine.RestrictExecution'; permissionType = 'Application'}, @{permission = 'Machine.RestrictExecution'; permissionType = 'Delegated'})
+#>
+
+function Disable-MdeMachineCodeExecutionRestriction {
+  [CmdletBinding()]
+  param (
+    [Parameter(Mandatory, ValueFromPipelineByPropertyName, ValueFromPipeline)]
+    [string]
+    $id,
+    [Parameter(Mandatory)]
+    [string]
+    $comment
+  )
+  Begin {
+    if (-not (Test-MdePermissions -functionName $PSCmdlet.CommandRuntime)) {
+      $requiredRoles = (Get-Help $PSCmdlet.CommandRuntime -Full).role | Invoke-Expression
+      Throw "Missing required permission(s). Please check if one of these is in current token roles: $($requiredRoles.permission)"
+    }
+  }
+  Process {
+    return Invoke-RetryRequest -Method Post -Uri "https://api.securitycenter.microsoft.com/api/machines/$id/unrestrictCodeExecution" -body (ConvertTo-Json -InputObject @{ Comment = $comment })
+  }
+  End {}
+}
diff --git a/src/public/Enable-MdeMachineCodeExecutionRestriction.ps1 b/src/public/Enable-MdeMachineCodeExecutionRestriction.ps1
@@ -0,0 +1,44 @@
+<#
+.SYNOPSIS
+  Restrict execution of all applications on the device except a predefined set.
+
+.DESCRIPTION
+  Restrict execution of all applications on the device except a predefined set.
+
+.NOTES
+  Author: Jan-Henrik Damaschke
+
+.LINK
+  https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/restrict-code-execution?view=o365-worldwide
+
+.PARAMETER id
+  Optional. Specifies the id of the target MDE recommendation.
+
+.EXAMPLE
+  Enable-MdeMachineCodeExecutionRestriction -id "<GUID>" -comment "Your comment"
+
+.ROLE
+  @(@{permission = 'Machine.RestrictExecution'; permissionType = 'Application'}, @{permission = 'Machine.RestrictExecution'; permissionType = 'Delegated'})
+#>
+
+function Enable-MdeMachineCodeExecutionRestriction {
+  [CmdletBinding()]
+  param (
+    [Parameter(Mandatory, ValueFromPipelineByPropertyName, ValueFromPipeline)]
+    [string]
+    $id,
+    [Parameter(Mandatory)]
+    [string]
+    $comment
+  )
+  Begin {
+    if (-not (Test-MdePermissions -functionName $PSCmdlet.CommandRuntime)) {
+      $requiredRoles = (Get-Help $PSCmdlet.CommandRuntime -Full).role | Invoke-Expression
+      Throw "Missing required permission(s). Please check if one of these is in current token roles: $($requiredRoles.permission)"
+    }
+  }
+  Process {
+    return Invoke-RetryRequest -Method Post -Uri "https://api.securitycenter.microsoft.com/api/machines/$id/restrictCodeExecution" -body (ConvertTo-Json -InputObject @{ Comment = $comment })
+  }
+  End {}
+}
diff --git a/tests/public/Disable-MdeMachineCodeExecutionRestriction.Tests.ps1 b/tests/public/Disable-MdeMachineCodeExecutionRestriction.Tests.ps1
@@ -0,0 +1,29 @@
+BeforeAll {
+  Remove-Module PSMDE -Force -ErrorAction SilentlyContinue
+  Import-Module (Split-Path $PSCommandPath).replace('tests', 'src').Replace('public', 'PSMDE.psd1')
+}
+
+Describe "Disable-MdeMachineCodeExecutionRestriction" {
+
+  It 'Should have the PSMDE module loaded' {
+    $module = Get-Module PSMDE
+    $module | Should -Not -BeNullOrEmpty
+  }
+
+  It 'Should have access to internal functions' {
+    InModuleScope PSMDE {
+      $iar = Get-Command Invoke-AzureRequest
+      $iar | Should -Not -BeNullOrEmpty
+    }
+  }
+
+  It 'Should correctly create the request uri' {
+    InModuleScope PSMDE {
+      Mock Invoke-RetryRequest { return $uri }
+      Mock Test-MdePermissions { return $true }
+      $id = '12345'
+      $comment = 'Comment'
+      Disable-MdeMachineCodeExecutionRestriction -id $id -comment $comment | Should -Be "https://api.securitycenter.microsoft.com/api/machines/$id/unrestrictCodeExecution"
+    }
+  }
+}
diff --git a/tests/public/Enable-MdeMachineCodeExecutionRestriction.Tests.ps1 b/tests/public/Enable-MdeMachineCodeExecutionRestriction.Tests.ps1
@@ -0,0 +1,29 @@
+BeforeAll {
+  Remove-Module PSMDE -Force -ErrorAction SilentlyContinue
+  Import-Module (Split-Path $PSCommandPath).replace('tests', 'src').Replace('public', 'PSMDE.psd1')
+}
+
+Describe "Enable-MdeMachineCodeExecutionRestriction" {
+
+  It 'Should have the PSMDE module loaded' {
+    $module = Get-Module PSMDE
+    $module | Should -Not -BeNullOrEmpty
+  }
+
+  It 'Should have access to internal functions' {
+    InModuleScope PSMDE {
+      $iar = Get-Command Invoke-AzureRequest
+      $iar | Should -Not -BeNullOrEmpty
+    }
+  }
+
+  It 'Should correctly create the request uri' {
+    InModuleScope PSMDE {
+      Mock Invoke-RetryRequest { return $uri }
+      Mock Test-MdePermissions { return $true }
+      $id = '12345'
+      $comment = 'Comment'
+      Enable-MdeMachineCodeExecutionRestriction -id $id -comment $comment | Should -Be "https://api.securitycenter.microsoft.com/api/machines/$id/restrictCodeExecution"
+    }
+  }
+}
