Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions

Steffen 71 Reputation points
2022-11-24T12:33:00.72+00:00

I have some ASR rules activated (set to Block) for my clients, like "Block process creations originating from PSExec and WMI commands" or "Block JavaScript or VBScript from launching downloaded executable content".

While testing the rules it seems like, they work as intended but in the event viewer (as explained here) I only get an event (ID 1021) for some blocked ASR Rules . For examplem, the "Block JavaScript or VBScript from launching downloaded executable content". I used a simple script js to test it:

var xmlHttp = WScript.CreateObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", "https://www.bing.com", false);
xmlHttp.send();

// SCPT:JSRunsFile
var shell = WScript.CreateObject("WScript.Shell");
shell.Run("notepad.exe");
I see an event in th Event Viewer with the ID 1021 and a reference to my script.

But while testing the Rule "Block process creations originating from PSExec and WMI commands" with running a simple vbs script the creation of the process is blocked (Return Value: 2) but no event in the event Log shows up? the vbs:

// SCPT:xmlHttpRequest
var xmlHttp = WScript.CreateObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", "https://www.bing.com", false);
xmlHttp.send();

// SCPT:JSRunsFile
var shell = WScript.CreateObject("WScript.Shell");
shell.Run("notepad.exe");
Tested on a Win 10 and Win 11 Client with the same result. Is there something I am missing?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,837 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,771 Reputation points Microsoft Employee
    2022-11-25T15:59:32.25+00:00

    I wonder if that would be captures as a Diagnostic audit? Try something like this to see if table mod is there...

    AzureDiagnostics
    | where ResourceProvider == "MICROSOFT.SQL"
    | where OperationName == "AuditEvent"
    | summarize count() by action_name_s