Details

• ID: CM0004
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Enable
• Status: Active

Intended Outcome

Enabling Windows Defender Exploit Guard (WDEG) Attack Surface Reduction (ASR) rules restricts adversary lateral movement and persistence using malicious files and scripts.

Introduction

ASR is a ruleset and subcomponent of WDEG, specifically designed to block processes and activities commonly used by malware to infect computers. ASR rules target specific software behaviors e.g., launching files and scripts, running (obfuscated) scripts, and deviations from typical application behavior.

Preparation

• Microsoft Defender for Endpoint with real-time and cloud-delivery protection is enabled.
• Microsoft Defender is the primary anti-virus solution.
• No Microsoft Defender component is more than two versions old.

Risks

No Risks content identified.

Guidance

Assess the status of ASR and identify gaps in coverage. Survey the attack surface management card in the Microsoft 365 Defender portal and determine whether standard and/or other rules are applied, the mode in which they are configured, and any existing exclusions.Microsoft recommends beginning by enabling the three standard protection rules: block credential stealing from LSASS, abuse of exploited vulnerable signed drivers, and persistence via WMI event subscription. These three rules can typically be implemented with little impact to business function. ASR can be configured using Microsoft Endpoint Manager, Group Policy, and/or PowerShell Cmdlets.Additional rules to consider are listed below.

Standard Protection Rules

The minimum set of rules which Microsoft recommends you always enabled, while you are evaluating the impact and configuration needs of the other ASR rules. These rules typically have minimal-to-no noticeable impact on the end user.

Rule	Mapped to TTPs
Block abuse of exploited vulnerable signed driver	[T1068](https://attack.mitre.org/techniques/T1068) - Exploitation for Privilege Escalation
Block credential stealing from the Windows local security authority subsystem (lsass.exe)	[T1003.001](https://attack.mitre.org/techniques/T1003/001) - OS Credential Dumping: LSASS Memory
Block persistence through WMI event subscription	[T1546.003](https://attack.mitre.org/techniques/T1546/003) - Event Triggered Execution: WMI Event Subscription

Other Rules

Rules that require some measure of following the documented deployment steps (Plan \> Test \> Enable \> Operationalize).

Rule	Mapped to TTPs
Block Adobe Reader from creating child processes	[T1203](https://attack.mitre.org/techniques/T1203) - Exploitation for Client Execution
Block all Office applications from creating child processes	[T1203](https://attack.mitre.org/techniques/T1203) - Exploitation for Client Execution
Block executable content from email client and webmail	[T1566](https://attack.mitre.org/techniques/T1566) - Phishing
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Block execution of potentially obfuscated scripts	[T1027](https://attack.mitre.org/techniques/T1027) - Obfuscated Files or Information
Block JavaScript or VBScript from launching downloaded executable content	[T1059.005](https://attack.mitre.org/techniques/T1059/005) - Command and Scripting Interpreter: Visual Basic, [T1059.007](https://attack.mitre.org/techniques/T1059/007) - Command and Scripting Interpreter: JavaScript
Block Office applications from creating executable content	[T1204.002](https://attack.mitre.org/techniques/T1204/002) - User Execution: Malicious File
Block Office applications from injecting code into other processes	[T1055](https://attack.mitre.org/techniques/T1055) - Process Injection, [T1204.002](https://attack.mitre.org/techniques/T1204/002) - User Execution: Malicious File
Block Office communication application from creating child processes
Block process creations originating from PSExec and WMI commands	[T1569.002](https://attack.mitre.org/techniques/T1569/002) - System Services: Service Execution, [T1047](https://attack.mitre.org/techniques/T1047) - Windows Management Instrumentation
Block untrusted and unsigned processes that run from USB	[T1091](https://attack.mitre.org/techniques/T1091) - Replication Through Removable Media
Block Win32 API calls from Office macros	[T1204.002](https://attack.mitre.org/techniques/T1204/002) - User Execution: Malicious File
Use advanced protection against ransomware

Deployment Modes

• Audit mode used to evaluate how ASR rules would affect the organization if enabled
• Block mode prevents execution
• Warn mode warns of execution
• Not configured/disabled

Exclusions

Files and folders can be specified for exclusion from ASR rule evaluation. While exclusions may be necessary to ensure normal operations, it is important to note that exclusions could introduce vulnerability and should be carefully evaluated.A typical implementation process includes the following steps:

Plan

The first step in preparing to deploy ASR rules is planning. Key to the planning process is identifying key stakeholders and critical business operations.

• Identify business units ASR rollout should be contingent upon distribution and usage of software, shared folders, and scripts
• Identify ASR rules champions to assist during rollout, preliminary testing, and implementation
• Inventory business apps understanding applications and processes used across the organization is critical to the success of ASR rule deployment
• Define ASR rules reporting and response teams determine the person/team responsible for gathering reports, with whom to share the reports, and how to escalate identified threats/issues
• Determine deployment rings Leverage deployment rings for phased rollout of ASR rules

Test

The second step in preparing to deploy ASR rules is testing. Testing the deployment of ASR rules is critical to ensuring the maximum likelihood of success while minimizing the chance of disrupting regular business operations.

• Enable ASR rule in audit mode
• Review reporting in the Microsoft 365 Defender portal
• Assess impact
• Define exclusions to deploy ASR rules without negatively impacting operations

Enable

This step is intended to be the limited and scalable rollout of the tested ASR rules to the first test ring.

• Set ASR rule to block or warn
• Assess impact from the reporting page in Microsoft 365 Defender portal and seek feedback from the ASR champions
• Refine exclusions
• Problematic rules should be switched back into audit mode

Operationalize

After the ASR rule is deployed, it is critical to implement processes to monitor and respond to ASR events.

• Monitor for false positives
• Review ASR rule reports regularly to stay abreast of rule-reported events
• Engage in ASR rule hunting to proactively inspect events

References

• Enable attack surface reduction rules | https://learn.microsoft.com/en-us/defender-endpoint/enable-attack-surface-reduction
• Attack surface reduction rules deployment overview | https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment
• Attack surface reduction rules reference | https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
• Plan attack surface reduction rules deployment | https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan
• Test attack surface reduction rules | https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test
• Implement attack surface reduction rules | https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement
• Operationalize attack surface reduction rules | https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize