ATTACK Surface reduction applied with Microsoft Defender ATP

Karim Zaki,

The following article assumes you have windows 10

Terminologies for this Article

ASR (Attack surface reduction)

Microsoft Defender advanced threat protection (MDATP)

Links

MDATP web link

Advanced hunting link

ASR Reports

ASR Definition

Vulnerabilities

The article is part of Microsoft Advanced Threat Protection suite

Table of Contents

  • What IS ASR
  • ASR RULES
  • How to Enable
  • Group Policy
  • Monitor
  • endpoint protection
  • Microsoft advanced threat protection MDATP Advanced hunting
  • MDATP device configuration management
  • Real Case scenario Rule
  • Block process creations originating from PSExec and WMI commands
  • Through event viewer
  • View attack surface reduction events

What IS ASR

It is reducing the amount of Code running on the system.

Attacker can compromise the organizations network or devices in a various way, the attacker is locking for just one vulnerability. The ASR is just trying to reduce the various ways.

ASR are Rules targeting software behaviors that are often abused by attacker.

  • Launching executable files and scripts that attempt to download or run files
  • Running obfuscated or otherwise suspicious scripts
  • Performing behaviors that apps do not usually initiate during normal day-to-day work

ASR RULES

The following sections describe each of the 15 attack surface reduction rules.

If you are using Group policy, you will need the following GUIDS if using Intune or configuration manger you will not need the GUIDS


How to Enable

Group Policy

Go to computer

Expand the tree to Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction.

It is all described here Group Policy

Then enable the configure attack rules as described


And set the rules

  • Disable = 0
  • Block (enable ASR rule) = 1
  • Audit = 2

I recommend that you set it to audit (2) first and start monitoring


You can set it for single machine as a test by power shell

PowerShell

Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode

Monitor

There are several ways for monitoring

run the PowerShell on any user machine

Get-MpPreference

The following means it is applied


endpoint protection



Microsoft advanced threat protection MDATP Advanced hunting


Run the following Query in the advanced hunting query

DeviceEvents

| where ActionType startswith ‘Asr’

MDATP device configuration management

Then go to attack surface management



Real Case scenario Rule


Block process creations originating from PSExec and WMI commands


This rule blocks processes created through PsExec and WMI from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization’s network.

through event viewer

EVENT ID

Event ID Description
5007 Event when settings are changed
1121 Event when rule fires in Block-mode
1122 Event when rule fires in Audit-mode

The following URL describes how to create XML query in the event viewer for the ASR monitoring

View attack surface reduction events

 


Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.