Attack Surface Reduction Rules (ASR) are a set of built-in security feature in Windows systems that helps reduce the system’s attack surface by blocking malicious or unwanted activities. The rules can be enabled or disabled based on the requirement of the system and help secure the device from various types of threats, including malware, phishing, and other types of cyberattacks.
In this blog post, I will show how to use PowerShell to enable and disable ASR rules on Windows devices. I have also included a JSON file on my GitHub account where all the rules are listed.
Configurable ASR Rules
| Name | GUID |
|---|---|
| Block abuse of exploited vulnerable signed drivers | 56a863a9-875e-4185-98a7-b882c64b5ce5 |
| Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c |
| Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A |
| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 |
| Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 |
| Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 |
| Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC |
| Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D |
| Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 |
| Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 |
| Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 |
| Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b |
| Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c |
| Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 |
| Block Win32 API calls from Office macros | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B |
| Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 |
Configuring ASR Rules one by one using PowerShell
ASR rules can be easily configured using PowerShell, which provides an efficient and powerful way to manage the attack surface reduction rules on Windows devices. With PowerShell, administrators can automate the configuration process and enforce consistent policies across the organization. The following are the steps to configure ASR rules using PowerShell:
Open PowerShell as an administrator.
Run the command Get-MpPreference to view the current configuration of ASR rules. Check the AttackSurfaceReductionRules_Actions and AttackSurfaceReductionRules_Ids properties
To enable or disable a specific rule, use the command Add-MpPreference -AttackSurfaceReductionRule_ID ID -AttackSurfaceReductionRules_Actions Enabled/Disabled. Replace “ID” with the actual rule ID and specify “Enabled” or “Disabled” based on the desired configuration. Set-MpPreference overrides the current configuration.
The above steps are good if you want to configure ASR rules one by one. To make it easier I put together a simple PowerShell script that reads the ASR rules from the JSON file and enables them based on the configuration file.
Configuring multiple ASR Rules using PowerShell
Below script retrieves a JSON file from a URL and converts it into an object in PowerShell. It then loops through the elements in the object, which represent Attack Surface Reduction rules, and sets each rule based on the status.
#Attack Surface Reduction Rules JSON File
$URL = "https://raw.githubusercontent.com/Kaidja/Defender-for-Endpoint/main/AttackSurfaceReductionRules.json"
#Convert ASR Rules from JSON
$ASRRules = (Invoke-WebRequest -Uri $URL -UseBasicParsing).Content | ConvertFrom-Json
foreach($Rule in $ASRRules){
$ASRRuleName = $Rule.Name
$ASRRuleGUID = $Rule.GUID
Write-Output -InputObject "Working on $ASRRuleName. Setting the rule to Audit Mode"
Add-MpPreference -AttackSurfaceReductionRules_Ids $Rule.GUID -AttackSurfaceReductionRules_Actions AuditMode
}
Attack Surface Reduction JSON File
Below file is published on my GitHub account.
[
{
"Name": "Block abuse of exploited vulnerable signed drivers",
"GUID": "56a863a9-875e-4185-98a7-b882c64b5ce5",
"Status": "Enabled"
},
{
"Name": "Block Adobe Reader from creating child processes",
"GUID": "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c",
"Status": "Enabled"
},
{
"Name": "Block all Office applications from creating child processes",
"GUID": "D4F940AB-401B-4EFC-AADC-AD5F3C50688A",
"Status": "Enabled"
},
{
"Name": "Block credential stealing from the Windows local security authority subsystem (lsass.exe)",
"GUID": "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2",
"Status": "Enabled"
},
{
"Name": "Block executable content from email client and webmail",
"GUID": "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550",
"Status": "Enabled"
},
{
"Name": "Block executable files from running unless they meet a prevalence, age, or trusted list criterion",
"GUID": "01443614-cd74-433a-b99e-2ecdc07bfc25",
"Status": "Enabled"
},
{
"Name": "Block execution of potentially obfuscated scripts",
"GUID": "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC",
"Status": "Enabled"
},
{
"Name": "Block JavaScript or VBScript from launching downloaded executable content",
"GUID": "D3E037E1-3EB8-44C8-A917-57927947596D",
"Status": "Enabled"
},
{
"Name": "Block Office applications from creating executable content",
"GUID": "3B576869-A4EC-4529-8536-B80A7769E899",
"Status": "Enabled"
},
{
"Name": "Block Office applications from injecting code into other processes",
"GUID": "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84",
"Status": "Enabled"
},
{
"Name": "Block Office communication application from creating child processes",
"GUID": "26190899-1602-49e8-8b27-eb1d0a1ce869",
"Status": "Enabled"
},
{
"Name": "Block persistence through WMI event subscription",
"GUID": "e6db77e5-3df2-4cf1-b95a-636979351e5b",
"Status": "Enabled"
},
{
"Name": "Block process creations originating from PSExec and WMI commands",
"GUID": "d1e49aac-8f56-4280-b9ba-993a6d77406c",
"Status": "Enabled"
},
{
"Name": "Block untrusted and unsigned processes that run from USB",
"GUID": "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4",
"Status": "Enabled"
},
{
"Name": "Block Win32 API calls from Office macros",
"GUID": "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B",
"Status": "Enabled"
},
{
"Name": "Use advanced protection against ransomware",
"GUID": "c1db55ab-c21a-4637-bb3f-a12568109d35",
"Status": "Enabled"
}
]
Summary
Attack Surface Reduction Rules play an important role in maintaining the security of a system. If you have not yet implemented these rules, now is the time to start testing their impact on your organization. By setting rules to Audit Mode, you can evaluate their potential impact and make informed decisions about which rules to enable or block. With the increase in cyber threats, it is crucial to implement all necessary measures to protect your system. Don’t wait any longer, start testing Attack Surface Reduction Rules today!
