Windows 10: Windows Defender Exploit Guard-Attack Surface Reduction rules
Applies to:
Windows Server 2019
Windows 10 1809
Windows 10 1803
Windows 10 1709
Security Administrators, as we all know, we can’t keep end-users from clicking on phishing e-mails or downloading payloads that have malware. Windows Defender (WD) Exploit Guard (EG) – Attack Surface Reduction (ASR) rules to the rescue.
Windows Defender Exploit Guard: Attack Surface Reduction rules, do I need Windows Defender Antivirus (WD AV)?
The answer is yes, you need WD AV to be enabled.
[What is Windows Defender Exploit Guard – Attack Surface Reduction rules?]
Reduce attack surfaces with attack surface reduction rules
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
Security Updates from the Win10 Fall Creators Update
https://blogs.technet.microsoft.com/askpfeplat/2017/12/11/security-updates-from-the-win10-fall-creators-update/
New attack surface reduction rules
https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/
[What does WD Exploit Guard: Attack Surface Reduction rules block against?]
- Block executable content from email client and webmail
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block JavaScript or VBScript from launching downloaded executable content
- Block execution of potentially obfuscated scripts
Block Win32 API calls from Office macro - Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block Office communication application from creating child processes
- Block Adobe Reader from creating child processes
[So why Windows Defender Exploit Guard: Attack Surface Reduction rules?]
Example of malware being neutralized by ASR: CVE-2017-8759 (a.k.a. WinBird or FinFisher; Exploit:RTF/Fitipol.A, Behavior:Win32/Fitipol.A, and Exploit:RTF/CVE-2017-8759)
Reference:
Exploit for CVE-2017-8759 detected and neutralized- Protection with Windows Defender Exploit Guard
https://cloudblogs.microsoft.com/microsoftsecure/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/
Example of malware being neutralized by ASR: Qakbot and Emotet.
Reference:
Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
Example of malware being neutralized by ASR: protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware.
Reference:
A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/10/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017/
Example of malware being neutralized by ASR: emerging exploits like Coin mining malware.
Reference:
Invisible resource thieves: The increasing threat of cryptocurrency miners
https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/
[Test / Deploy WD Exploit Guard: Attack Surface Reduction rules]
Recommendations for deploying the latest Attack surface reduction rules for maximum impact
https://cloudblogs.microsoft.com/microsoftsecure/2019/02/22/recommendations-for-deploying-the-latest-attack-surface-reduction-rules-for-maximum-impact/
TIP 1: Make sure that the WD AV Platform update, engine update, and definition updates are up to date.
Note: Normally taken care by Windows Update or WSUS or SCCM SUP.
TIP 2: I would highly recommend you to set it to audit mode for 1 month or so, and see if there are compatibility warnings for your line of business applications.
List of 'attack surface reduction' events such as for WD EG ASR rules:
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-attack-surface-reduction-events
Use 'custom views' to review in 'Event Viewer' to review WD EG ASR rules:
XML for attack surface reduction rule events
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#xml-for-attack-surface-reduction-rule-events
Thanks,
Yong
P.S. Related blog posts:
Windows 10/Windows Server 2016/Windows Server 2019 Antivirus (AV)
https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-server-2016-windows-server-2019-antivirus-av/
Windows 10: Windows Defender Exploit Guard-Exploit Protection
https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-defender-exploit-guard-exploit-protection/
[Don’t confuse Windows Defender Exploit Guard - Attack Surface Reduction rules with:]
1) Microsoft Security Development Lifecycle (SDL) “Attack Surface Analysis” tool for developers when developing applications.
Back to the Future: Attack Surface Analysis and Reduction
https://cloudblogs.microsoft.com/microsoftsecure/2011/02/14/back-to-the-future-attack-surface-analysis-and-reduction/
Note: For developers, we have a new tool:
Microsoft Threat Modeling Tool
/en-us/azure/security/azure-security-threat-modeling-tool
or
2) EMET’s Attack Surface Reduction, which:
"Provides a mechanism to help block specific modules or plug-ins within an application, in certain conditions. For example, customers can now configure EMET to prevent their browser from loading Java plug-ins on external websites, while still continuing to allow Java plug-ins on their internal company websites."
Managing IE Sites for EMET with ASR (Attack Surface Reduction)
https://blogs.technet.microsoft.com/kfalde/2014/08/27/managing-ie-sites-for-emet-with-asr-attack-surface-reduction/