Attack surface reduction rules demonstrations

Applies to:

• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender for Business
• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender Antivirus

Attack surface reduction rules target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:

• Executable files and scripts used in Office apps or web mail that attempt to download or run files
• Scripts that are obfuscated or otherwise suspicious
• Behaviors that apps undertake that aren't initiated during normal day-to-day work

Scenario requirements and setup

• Windows 11, Windows 10 1709 build 16273 or later
• Windows Server 2022, Windows Server 2019, Windows Server 2016, or Windows Server 2012 R2 with the unified MDE client.
• Microsoft Defender Antivirus
• Microsoft 365 Apps (Office; required for Office rules and sample)
• Download attack surface reduction PowerShell scripts

PowerShell commands

Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions AuditMode

Rule states

State	Mode	Numeric value
Disabled	= Off	0
Enabled	= Block mode	1
Audit	= Audit mode	2

Verify configuration

Get-MpPreference

Test files

Note - some test files have multiple exploits embedded and triggers multiple rules

Rule name	Rule GUID
Block executable content from email client and webmail	BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes	D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content	3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes	75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Impede JavaScript and VBScript to launch executables	D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts	5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office	92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
{Block Process Creations originating from PSExec & WMI commands	D1E49AAC-8F56-4280-B9BA-993A6D77406C
Block Execution of untrusted or unsigned executables inside removable USB media	B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4
Aggressive Ransomware Prevention	C1DB55AB-C21A-4637-BB3F-A12568109D35
Block executable files from running unless they meet a prevalence, age, or trusted list criteria	01443614-CD74-433A-B99E-2ECDC07BFC25
Block Adobe Reader from creating child processes	7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block abuse of exploited vulnerable signed drivers	56a863a9-875e-4185-98a7-b882c64b5ce5
Block credential stealing from the Windows local security authority subsystem (lsass.exe)	9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block persistence through WMI event subscription	e6db77e5-3df2-4cf1-b95a-636979351e5b
Block Webshell creation for Servers	a8f5898e-1dc8-49a9-9878-85004b8a61e6

Scenarios

Setup

Download and run this setup script. Before running the script set execution policy to Unrestricted using this PowerShell command:

Set-ExecutionPolicy Unrestricted

You can perform these manual steps instead:

1. Create a folder under c: named demo, "c:\demo"
2. Save this clean file into c:\demo.
3. Enable all rules using the PowerShell command.

Scenario 1: Attack surface reduction blocks a test file with multiple vulnerabilities

1. Enable all rules in block mode using the PowerShell commands (you can copy paste all)
2. Download and open any of the test file/documents, and enable editing and content, if prompted.

Scenario 1 expected results

You should immediately see an "Action blocked" notification.

Scenario 2: ASR rule blocks the test file with the corresponding vulnerability

1. Configure the rule you want to test using the PowerShell command from the previous step.

   Example: Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

2. Download and open the test file/document for the rule you want to test, and enable editing and content, if prompted.

   Example: Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Scenario 2 expected results

You should immediately see an "Action blocked" notification.

Scenario 3 (Windows 10 or later): ASR rule blocks unsigned USB content from executing

1. Configure the rule for USB protection (B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4).

Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled

3. Download the file and put it on a USB stick and execute it Block Execution of untrusted or unsigned executables inside removable USB media

Scenario 3 expected results

You should immediately see an "Action blocked" notification.

Scenario 4: What would happen without attack surface reduction

1. Turn off all attack surface reduction rules using PowerShell commands in the cleanup section.

2. Download any test file/document, and enable editing and content, if prompted.

Scenario 4 expected results

• The files in c:\demo are encrypted and you should get a warning message
• Execute the test file again to decrypt the files

Clean-up

Download and run this clean-up script

Alternately, you can perform these manual steps:

Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions Disabled

Clean up c:\demo encryption by running the encrypt/decrypt file

See also

Attack surface reduction rules deployment guide

Attack surface reduction rules reference

Microsoft Defender for Endpoint - demonstration scenarios

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.