What is ASR?
One of the capabilities of Microsoft Defender for Endpoint that is often overlooked because of its fancy name and fear of breaking things is Attack Surface Reduction also known as ASR.
The name of the feature is a little bit too big for what it achieves so far but is certainly a particularly useful feature. What it does is, it targets software behaviors that are often abused by attackers, such as:
- Launching executable files and scripts that attempt to download or run files.
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps do not usually initiate during normal day-to-day work.
Such behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
By preventing these usual suspects, an organization saves a lot of effort that can be spent in responding to security incidents in which one or more of these activities are used.
You can find the ASR rule (activity types) in the table below.
| Category | Rule name | GUID | File & folder exclusions |
| E-mail and Webmail | Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported |
| Microsoft Office | Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported |
| Microsoft Office | Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported |
| Microsoft Office | Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported |
| Microsoft Office | Block Win32 API calls from Office macros | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported |
| Microsoft Office | Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported |
| Executables and Scripts | Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported |
| Executables and Scripts | Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported |
| Executables and Scripts | Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported |
| Executables and Scripts | Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported |
| Block abuse of exploited vulnerable signed drivers | 56a863a9-875e-4185-98a7-b882c64b5ce5 | ||
| Windows Credentials | Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported |
| Windows Credentials | Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported |
| Windows Management Interface (WMI) | Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported |
| Windows Management Interface (WMI) | Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported |
| Windows Management Interface (WMI) | Note: This setting is not yet available in MEM/MEMCM. | ||
| Device Control | Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported |
| 3rd Party Apps | Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported |
Although some of these behaviors might be legitimate for some applications to work, they are considered risky as they are primarily used by attackers to carry on their attacks. Before enabling ASR rules in block-mode, you must run the rules in audit mode to capture more data and understand their impact on your business applications.
ASR rules are not about trusting or not trusting certain apps in your endpoints. They are about recognizing potentially malicious behaviors and minimizing the probability of an attacker using these behaviors to carry on an attack thus minimizing the overall risk level.
Requirement and Prerequisites
You can configure attack surface reduction rules for devices running any of the following editions and versions of Windows:
- Windows 10 Pro/Enterprise/Education, version 1709 or later.
- Windows Server, version 1803 (Semi-Annual Channel) or later.
- Windows Server 2019.
With Windows 10 Pro, you get the ASR rule capabilities. However, Windows 10 Enterprise E3 license gives you the entire feature-set of ASR rules, and you can use Event viewer to review attack surface reduction rule events.
While using event viewer might work for you, having the Windows E5 license with Microsoft Defender for Endpoint adds management and reporting layer for the ASR rules, such as monitoring, analytics, and workflow as part of Microsoft Defender for Endpoint.
In fact, Microsoft Defender for Endpoint takes ASR rules to the next level by onboarding those ASR rule events within the Microsoft 365 Defender portal.
Regardless of the license of choice, Microsoft Defender Antivirus must be active mode because ASR uses Microsoft Defender Antivirus to block the attempts.
This should be taken into consideration especially when you are using a third-party antivirus solution. In this case, the built-in Microsoft Defender Antivirus automatically goes into passive mode.
Finally, some ASR rules require the Microsoft Defender Antivirus cloud-delivered protection to be enabled.
Rule Exclusions
There are certainly going to be cases where a benign process will be identified as malicious, and you will have to define some exclusions to avoid the alert fatigue. This means that the ASR rule will ignore the execution of certain processes. For these cases, keep in mind the following:
- If you add an exclusion, it will affect every ASR rule. The reason for this is for performance and reliability (you cannot specify what ASR rule to exclude)
- Not all rules support exclusions.
- Excluded files/folders and processes will be allowed to run, and no report or event will be recorded.
- ASR rules exclusions are managed separately from Microsoft Defender Antivirus exclusions.
- ASR rules exclusions support wildcards, paths, and environmental variables. This is, however, only supported if you use Microsoft Intune. If you manage ASR rules through SCCM, you cannot use wildcards.
- Wildcards cannot be used to define a drive letter.
- ASR rules exclusions are not user context aware (ASR rules run under NT AUTHORITY\SYSTEM account), so it is not possible to add user profile folder to exclusions using environmental variables such as %USERPROFILE%.
Configuring ASR Rules
There are four states for any ASR rule:
- Not configured: which means disabled.
- Block: Block and log the identified suspicious activity attempts.
- Audit: Detect and log the activity but not block.
- Warn: Enforce the rules but provide the users with a possibility to override the block action for 24 hours. This allows you to test rules, without necessarily blocking your end-users.
The warn mode is available for all rules except:
- Block JavaScript or VBScript from launching downloaded executable content.
- Block persistence through WMI event subscription.
- Use advanced protection against ransomware.
You do not have to enable all ASR rules at once. Many business applications were written with limited security concerns, and they might perform tasks that resemble malware or malicious activity.
A recommended approach is to enable ASR rules in audit mode first to better understand the impact of enabling each of these rules. By monitoring audit data and adding exclusions for necessary applications, you can deploy ASR rules without impacting productivity.
It is worth mentioning that dealing with Office macros is difficult for security professionals. They represent an effortless way for attackers to launch their attacks. Unfortunately, many customers still depend on Office macros to run their businesses. Special attention might be required for enforcing the related rule in block mode.
The warn mode is available for all rules except:
- Block JavaScript or VBScript from launching downloaded executable content.
- Block persistence through WMI event subscription.
- Use advanced protection against.
You can configure ASR rules using one of the following methods:
- Microsoft Intune
- 3rd-party Mobile Device Management (MDM)
- Microsoft Endpoint Configuration Manager
- Group Policy
- PowerShell
We are ready to help you deploy MDE’s ASR capabilities for your organization using your tool of choice. Please contact us to learn more about it.
