The following article assumes you have windows 10
-
Windows 10 Pro, version 1709 or later
-
Windows 10 Enterprise, version 1709 or later
-
Windows Server, version 1803 (Semi-Annual Channel) or later
Terminologies for this Article
ASR (Attack surface reduction)
Microsoft Defender advanced threat protection (MDATP)
Links
The article is part of Microsoft Advanced Threat Protection suite
Table of Contents
- What IS ASR
- ASR RULES
- How to Enable
- Group Policy
- Monitor
- endpoint protection
- Microsoft advanced threat protection MDATP Advanced hunting
- MDATP device configuration management
- Real Case scenario Rule
- Block process creations originating from PSExec and WMI commands
- Through event viewer
- View attack surface reduction events
What IS ASR
It is reducing the amount of Code running on the system.
Attacker can compromise the organizations network or devices in a various way, the attacker is locking for just one vulnerability. The ASR is just trying to reduce the various ways.
ASR are Rules targeting software behaviors that are often abused by attacker.
-
Launching executable files and scripts that attempt to download or run files
-
Running obfuscated or otherwise suspicious scripts
-
Performing behaviors that apps do not usually initiate during normal day-to-day work
ASR RULES
The following sections describe each of the 15 attack surface reduction rules.
If you are using Group policy, you will need the following GUIDS if using Intune or configuration manger you will not need the GUIDS
How to Enable
Group Policy
Go to computer
Expand the tree to Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction.
It is all described here Group Policy
Then enable the configure attack rules as described
And set the rules
-
Disable = 0
-
Block (enable ASR rule) = 1
-
Audit = 2
I recommend that you set it to audit (2) first and start monitoring
You can set it for single machine as a test by power shell
PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
Monitor
There are several ways for monitoring
run the PowerShell on any user machine
Get-MpPreference
The following means it is applied
endpoint protection
Microsoft advanced threat protection MDATP Advanced hunting
Run the following Query in the advanced hunting query
DeviceEvents
| where ActionType startswith ‘Asr’
MDATP device configuration management
Then go to attack surface management
Real Case scenario Rule
Block process creations originating from PSExec and WMI commands
This rule blocks processes created through PsExec and WMI from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization’s network.
through event viewer
EVENT ID
Event ID | Description |
5007 | Event when settings are changed |
1121 | Event when rule fires in Block-mode |
1122 | Event when rule fires in Audit-mode |
The following URL describes how to create XML query in the event viewer for the ASR monitoring
View attack surface reduction events
Leave a Reply