Attack surface reduction - no rules

Question

Attack surface reduction - no rules

Or Naim 0

Hello,

I've been trying to run a psexec command in order to delete a chrome specific architecture version.

But, the Attack surface reduction is blocking my remote script.

the event log does not show the full extent of it.

Rule: Block process creations originating from PSExec and WMI commands

Blocked By: Attack surface reduction

now, I've been trying to dig out that specific rule through the Microsoft 365 defender and unfortunately, I can't find that specific rule. I need to disable that rule on the target computers that I'm trying to run the command on.

Any help pinpointing the direction, please?

Thanks in advance.

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-02-13T08:41:08.5866667+00:00

Hi @Or Naim ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click Accept Answer and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks, Shweta

1 answer

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-02-13T08:41:08.5866667+00:00

Hi @Or Naim ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click Accept Answer and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks, Shweta

Answer 1



Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

To disable the "Block process creations originating from PSExec and WMI commands" rule in Microsoft Defender for Endpoint (previously known as Microsoft 365 Defender), you need to follow these steps:

    Open the Microsoft Defender Security Center portal.

    Navigate to the "Device control" section and click on the "Attack surface reduction" policy.

    Click on the "Edit" button to modify the policy.

    In the "Attack surface reduction" policy, locate the "Block process creations originating from PSExec and WMI commands" rule and turn it off.

    Save the changes by clicking on the "Save" button.

It may take some time for the changes to propagate to the target computers, but once they do, you should be able to run the psexec command without encountering the issue.

If you're still unable to find the "Block process creations originating from PSExec and WMI commands" rule in the Microsoft Defender Security Center, you can check if it's turned on in the Windows Defender Security Center on the target computers. To do this, follow these steps:

    Open the Windows Defender Security Center on the target computer.

    Navigate to the "Virus & threat protection" section and click on the "Virus & threat protection settings" link.

    Scroll down to the "Attack surface reduction rules" section and look for the "Block process creations originating from PSExec and WMI commands" rule.

    If the rule is turned on, turn it off and save the changes.

This should allow you to run the psexec command on the target computer without encountering the issue.


If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Or Naim 0 Reputation points

2023-02-13T19:36:21.43+00:00

Hi,

i managed to find the rule through the Microsoft 365 defender.

and it was not locally blocked.

Share via

Attack surface reduction - no rules

1 answer

Your answer