Share via


Windows 10: Windows Defender Exploit Guard-Attack Surface Reduction rules

Applies to:
Windows Server 2019
Windows 10 1809
Windows 10 1803

Windows 10 1709

Security Administrators, as we all know, we can’t keep end-users from clicking on phishing e-mails or downloading payloads that have malware. Windows Defender (WD) Exploit Guard (EG) – Attack Surface Reduction (ASR) rules to the rescue.

Windows Defender Exploit Guard: Attack Surface Reduction rules, do I need Windows Defender Antivirus (WD AV)?

The answer is yes, you need WD AV to be enabled.

[What is Windows Defender Exploit Guard – Attack Surface Reduction rules?]

Reduce attack surfaces with attack surface reduction rules
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

Security Updates from the Win10 Fall Creators Update
https://blogs.technet.microsoft.com/askpfeplat/2017/12/11/security-updates-from-the-win10-fall-creators-update/

New attack surface reduction rules
https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/

[What does WD Exploit Guard: Attack Surface Reduction rules block against?]

  1. Block executable content from email client and webmail
  2. Block all Office applications from creating child processes
  3. Block Office applications from creating executable content
  4. Block Office applications from injecting code into other processes
  5. Block JavaScript or VBScript from launching downloaded executable content
  6. Block execution of potentially obfuscated scripts
    Block Win32 API calls from Office macro
  7. Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  8. Use advanced protection against ransomware
  9. Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  10. Block process creations originating from PSExec and WMI commands
  11. Block untrusted and unsigned processes that run from USB
  12. Block Office communication application from creating child processes
  13. Block Adobe Reader from creating child processes

[So why Windows Defender Exploit Guard: Attack Surface Reduction rules?]

Example of malware being neutralized by ASR: CVE-2017-8759 (a.k.a. WinBird or FinFisher; Exploit:RTF/Fitipol.A, Behavior:Win32/Fitipol.A, and Exploit:RTF/CVE-2017-8759) 

Reference:

Exploit for CVE-2017-8759 detected and neutralized- Protection with Windows Defender Exploit Guard
https://cloudblogs.microsoft.com/microsoftsecure/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/

Example of malware being neutralized by ASR: Qakbot and Emotet.

Reference:

Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/

Example of malware being neutralized by ASR: protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware.

Reference:

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/10/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017/

Example of malware being neutralized by ASR: emerging exploits like Coin mining malware.

Reference:

Invisible resource thieves: The increasing threat of cryptocurrency miners
https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/

[Test / Deploy WD Exploit Guard: Attack Surface Reduction rules]

Recommendations for deploying the latest Attack surface reduction rules for maximum impact
https://cloudblogs.microsoft.com/microsoftsecure/2019/02/22/recommendations-for-deploying-the-latest-attack-surface-reduction-rules-for-maximum-impact/

TIP 1: Make sure that the WD AV Platform update, engine update, and definition updates are up to date.

Note: Normally taken care by Windows Update or WSUS or SCCM SUP.

TIP 2: I would highly recommend you to set it to audit mode for 1 month or so, and see if there are compatibility warnings for your line of business applications.

List of 'attack surface reduction' events such as for WD EG ASR rules:
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-attack-surface-reduction-events

Use 'custom views' to review in 'Event Viewer' to review WD EG ASR rules:

XML for attack surface reduction rule events
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#xml-for-attack-surface-reduction-rule-events

Thanks,

Yong

P.S. Related blog posts:

Windows 10/Windows Server 2016/Windows Server 2019 Antivirus (AV)
https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-server-2016-windows-server-2019-antivirus-av/

Windows 10: Windows Defender Exploit Guard-Exploit Protection
https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-defender-exploit-guard-exploit-protection/

[Don’t confuse Windows Defender Exploit Guard - Attack Surface Reduction rules with:]

1) Microsoft Security Development Lifecycle (SDL) “Attack Surface Analysis” tool for developers when developing applications.

Back to the Future: Attack Surface Analysis and Reduction
https://cloudblogs.microsoft.com/microsoftsecure/2011/02/14/back-to-the-future-attack-surface-analysis-and-reduction/

Note: For developers, we have a new tool:

Microsoft Threat Modeling Tool
/en-us/azure/security/azure-security-threat-modeling-tool

or

2) EMET’s Attack Surface Reduction, which:

"Provides a mechanism to help block specific modules or plug-ins within an application, in certain conditions. For example, customers can now configure EMET to prevent their browser from loading Java plug-ins on external websites, while still continuing to allow Java plug-ins on their internal company websites."

https://cloudblogs.microsoft.com/microsoftsecure/2014/07/31/now-available-enhanced-mitigation-experience-toolkit-emet-5-0/

Managing IE Sites for EMET with ASR (Attack Surface Reduction)
https://blogs.technet.microsoft.com/kfalde/2014/08/27/managing-ie-sites-for-emet-with-asr-attack-surface-reduction/