Attack Surface Reduction: Enabling Rules

Microsoft’s Attack Surface Reduction (ASR) helps defend against malware leveraging legitimate applications by implementing rules that actively prevent malicious behavior.

The best part about ASR is that these rules can easily be enabled with a simple PowerShell cmdlet.

For example, rule BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 blocks executable content from email.

Enabling these rules can be done by using the Set-MpPreference cmdlet like so:

Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled

We call the cmdlet, specify the parameter and the rule ID we want to enable and then enable the specified rule.

Using Add-MpPreference you can also exclude files or entire folders from ASR.

Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<C:\Windows\System32\calc.exe>"

ASR is really robust and is a great way to harden systems. I’ll post more about ASR in the future and show some examples of it in action. 

For now, here is a list of some more ASR rules:

Block Adobe Reader from creating child processes7674ba52-37eb-4a4f-a9a1-f0f9a1619a2cSupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block all Office applications from creating child processesD4F940AB-401B-4EFC-AADC-AD5F3C50688ASupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block credential stealing from the Windows local security authority subsystem (lsass.exe)9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block executable content from email client and webmailBE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block executable files from running unless they meet a prevalence, age, or trusted list criterion01443614-cd74-433a-b99e-2ecdc07bfc25SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block execution of potentially obfuscated scripts5BEB7EFE-FD9A-4556-801D-275E5FFC04CCSupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block JavaScript or VBScript from launching downloaded executable contentD3E037E1-3EB8-44C8-A917-57927947596DSupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block Office applications from creating executable content3B576869-A4EC-4529-8536-B80A7769E899SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block Office applications from injecting code into other processes75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block Office communication application from creating child processes26190899-1602-49e8-8b27-eb1d0a1ce869SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block persistence through WMI event subscriptione6db77e5-3df2-4cf1-b95a-636979351e5bNot supportedWindows 10, version 1903 (build 18362) or greater
Block process creations originating from PSExec and WMI commandsd1e49aac-8f56-4280-b9ba-993a6d77406cSupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block untrusted and unsigned processes that run from USBb2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block Win32 API calls from Office macros92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7BSupportedWindows 10, version 1709 (RS3, build 16299) or greater
Use advanced protection against ransomwarec1db55ab-c21a-4637-bb3f-a12568109d35SupportedWindows 10, version 1709 (RS3, build 16299) or greater

Reference:

 https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard