Microsoft’s Attack Surface Reduction (ASR) helps defend against malware leveraging legitimate applications by implementing rules that actively prevent malicious behavior.
The best part about ASR is that these rules can easily be enabled with a simple PowerShell cmdlet.
For example, rule BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 blocks executable content from email.
Enabling these rules can be done by using the Set-MpPreference cmdlet like so:
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
We call the cmdlet, specify the parameter and the rule ID we want to enable and then enable the specified rule.
Using Add-MpPreference you can also exclude files or entire folders from ASR.
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<C:\Windows\System32\calc.exe>"
ASR is really robust and is a great way to harden systems. I’ll post more about ASR in the future and show some examples of it in action.
For now, here is a list of some more ASR rules:
| Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported | Windows 10, version 1903 (build 18362) or greater |
| Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Block Win32 API calls from Office macros | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
| Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard