{"id":4793,"date":"2023-06-07T15:13:14","date_gmt":"2023-06-07T22:13:14","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4793"},"modified":"2023-06-07T15:13:19","modified_gmt":"2023-06-07T22:13:19","slug":"how-to-deploy-attack-surface-reduction-asr-rules","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4793","title":{"rendered":"How to Deploy Attack Surface Reduction (ASR) Rules\u00a0"},"content":{"rendered":"\n<p><strong>ASR rule to GUID matrix<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Rule Name<\/th><th>Rule GUID<\/th><\/tr><\/thead><tbody><tr><td>Block abuse of exploited vulnerable signed drivers<\/td><td>56a863a9-875e-4185-98a7-b882c64b5ce5<\/td><\/tr><tr><td>Block Adobe Reader from creating child processes<\/td><td>7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c<\/td><\/tr><tr><td>Block all Office applications from creating child processes<\/td><td>d4f940ab-401b-4efc-aadc-ad5f3c50688a<\/td><\/tr><tr><td>Block credential stealing from the Windows local security authority subsystem (lsass.exe)<\/td><td>9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2<\/td><\/tr><tr><td>Block executable content from email client and webmail<\/td><td>be9ba2d9-53ea-4cdc-84e5-9b1eeee46550<\/td><\/tr><tr><td>Block executable files from running unless they meet a prevalence, age, or trusted list criterion<\/td><td>01443614-cd74-433a-b99e-2ecdc07bfc25<\/td><\/tr><tr><td>Block execution of potentially obfuscated scripts<\/td><td>5beb7efe-fd9a-4556-801d-275e5ffc04cc<\/td><\/tr><tr><td>Block JavaScript or VBScript from launching downloaded executable content<\/td><td>d3e037e1-3eb8-44c8-a917-57927947596d<\/td><\/tr><tr><td>Block Office applications from creating executable content<\/td><td>3b576869-a4ec-4529-8536-b80a7769e899<\/td><\/tr><tr><td>Block Office applications from injecting code into other processes<\/td><td>75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84<\/td><\/tr><tr><td>Block Office communication application from creating child processes<\/td><td>26190899-1602-49e8-8b27-eb1d0a1ce869<\/td><\/tr><tr><td>Block persistence through WMI event subscription<br>* File and folder exclusions not supported.<\/td><td>e6db77e5-3df2-4cf1-b95a-636979351e5b<\/td><\/tr><tr><td>Block process creations originating from PSExec and WMI commands<\/td><td>d1e49aac-8f56-4280-b9ba-993a6d77406c<\/td><\/tr><tr><td>Block untrusted and unsigned processes that run from USB<\/td><td>b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4<\/td><\/tr><tr><td>Block Win32 API calls from Office macros<\/td><td>92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b<\/td><\/tr><tr><td>Use advanced protection against ransomware<\/td><td>c1db55ab-c21a-4637-bb3f-a12568109d35<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-modes\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"asr-rule-modes\">ASR rule modes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Not configured<\/strong>&nbsp;or&nbsp;<strong>Disable<\/strong>: The state in which the ASR rule hasn&#8217;t been enabled or has been disabled. The code for this state = 0.<\/li><li><strong>Block<\/strong>: The state in which the ASR rule is enabled. The code for this state is 1.<\/li><li><strong>Audit<\/strong>: The state in which the ASR rule is evaluated for the effect it would have on the organization or environment if enabled (set to block or warn). The code for this state is 2.<\/li><li><strong>Warn<\/strong>&nbsp;The state in which the ASR rule is enabled and presents a notification to the end-user, but permits the end-user to bypass the block. The code for this state is 6.<\/li><\/ul>\n\n\n\n<p><em>Warn mode<\/em>&nbsp;is a block-mode type that alerts users about potentially risky actions. Users can choose to bypass the block warning message and allow the underlying action. Users can select&nbsp;<strong>OK<\/strong>&nbsp;to enforce the block, or select the bypass option &#8211;&nbsp;<strong>Unblock<\/strong>&nbsp;&#8211; through the end-user pop-up toast notification that is generated at the time of the block. After the warning is unblocked, the operation is allowed until the next time the warning message occurs, at which time the end-user will need to reperform the action.<\/p>\n\n\n\n<p>When the allow button is clicked, the block will be suppressed for 24 hours. After 24 hours, the end-user will need to allow the block again. The warn mode for ASR rules is only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices with older versions, the rule will be in blocked mode.<\/p>\n\n\n\n<p>You can also set a rule in warn mode via PowerShell by specifying the AttackSurfaceReductionRules_Actions as &#8220;Warn&#8221;. For example:<\/p>\n\n\n\n<p>PowerShellCopy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Warn\n<\/code><\/pre>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#per-rule-descriptions\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"per-rule-descriptions\">Per rule descriptions<\/h2>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-abuse-of-exploited-vulnerable-signed-drivers\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-abuse-of-exploited-vulnerable-signed-drivers\">Block abuse of exploited vulnerable signed drivers<\/h3>\n\n\n\n<p>This rule prevents an application from writing a vulnerable signed driver to disk. In-the-wild, vulnerable signed drivers can be exploited by local applications &#8211;&nbsp;<em>that have sufficient privileges<\/em>&nbsp;&#8211; to gain access to the kernel. Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise.<\/p>\n\n\n\n<p>The&nbsp;<strong>Block abuse of exploited vulnerable signed drivers<\/strong>&nbsp;rule doesn&#8217;t block a driver already existing on the system from being loaded.<\/p>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>You can configure this rule using Intune OMA-URI. See&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/enable-attack-surface-reduction?view=o365-worldwide#custom-profile-in-intune\">Intune OMA-URI<\/a>&nbsp;for configuring custom rules.<\/p>\n\n\n\n<p>You can also configure this rule using&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/enable-attack-surface-reduction?view=o365-worldwide#powershell\">PowerShell<\/a>.<\/p>\n\n\n\n<p>To have a driver examined, use this Web site to&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/driversubmission\">Submit a driver for analysis<\/a>.<\/p>\n\n\n\n<p>Intune Name:&nbsp;<code>Block abuse of exploited vulnerable signed drivers<\/code><\/p>\n\n\n\n<p>Configuration Manager name: Not yet available<\/p>\n\n\n\n<p>GUID:&nbsp;<code>56a863a9-875e-4185-98a7-b882c64b5ce5<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrVulnerableSignedDriverAudited<\/li><li>AsrVulnerableSignedDriverBlocked<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-adobe-reader-from-creating-child-processes\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-adobe-reader-from-creating-child-processes\">Block Adobe Reader from creating child processes<\/h3>\n\n\n\n<p>This rule prevents attacks by blocking Adobe Reader from creating processes.<\/p>\n\n\n\n<p>Malware can download and launch payloads and break out of Adobe Reader through social engineering or exploits. By blocking child processes from being generated by Adobe Reader, malware attempting to use Adobe Reader as an attack vector are prevented from spreading.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Process creation from Adobe Reader (beta)<\/code><\/p>\n\n\n\n<p>Configuration Manager name: Not yet available<\/p>\n\n\n\n<p>GUID:&nbsp;<code>7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrAdobeReaderChildProcessAudited<\/li><li>AsrAdobeReaderChildProcessBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-all-office-applications-from-creating-child-processes\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-all-office-applications-from-creating-child-processes\">Block all Office applications from creating child processes<\/h3>\n\n\n\n<p>This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.<\/p>\n\n\n\n<p>Creating malicious child processes is a common malware strategy. Malware that abuses Office as a vector often runs VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes; such as spawning a command prompt or using PowerShell to configure registry settings.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Office apps launching child processes<\/code><\/p>\n\n\n\n<p>Configuration Manager name:&nbsp;<code>Block Office application from creating child processes<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>d4f940ab-401b-4efc-aadc-ad5f3c50688a<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrOfficeChildProcessAudited<\/li><li>AsrOfficeChildProcessBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-credential-stealing-from-the-windows-local-security-authority-subsystem\">Block credential stealing from the Windows local security authority subsystem<\/h3>\n\n\n\n<p>This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).<\/p>\n\n\n\n<p>LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows normally prevents attempts to extract credentials from LSASS. Some organizations can&#8217;t enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.<\/p>\n\n\n\n<p>By default the state of this rule is set to block. In most cases, many processes make calls to LSASS for access rights that are not needed. For example, such as when the initial block from the ASR rule results in a subsequent call for a lesser privilege which subsequently succeeds. For information about the types of rights that are typically requested in process calls to LSASS, see:&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/procthread\/process-security-and-access-rights\">Process Security and Access Rights<\/a>.<\/p>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app&#8217;s process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is no need to add it to the exclusion list. By itself, this event log entry doesn&#8217;t necessarily indicate a malicious threat.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Flag credential stealing from the Windows local security authority subsystem<\/code><\/p>\n\n\n\n<p>Configuration Manager name:&nbsp;<code>Block credential stealing from the Windows local security authority subsystem<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrLsassCredentialTheftAudited<\/li><li>AsrLsassCredentialTheftBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-content-from-email-client-and-webmail\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-executable-content-from-email-client-and-webmail\">Block executable content from email client and webmail<\/h3>\n\n\n\n<p>This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Executable files (such as .exe, .dll, or .scr)<\/li><li>Script files (such as a PowerShell .ps1, Visual Basic .vbs, or JavaScript .js file)<\/li><\/ul>\n\n\n\n<p>Intune name:&nbsp;<code>Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail\/mail client) (no exceptions)<\/code><\/p>\n\n\n\n<p>Microsoft Configuration Manager name:&nbsp;<code>Block executable content from email client and webmail<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>be9ba2d9-53ea-4cdc-84e5-9b1eeee46550<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrExecutableEmailContentAudited<\/li><li>AsrExecutableEmailContentBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus<\/p>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>The rule&nbsp;<strong>Block executable content from email client and webmail<\/strong>&nbsp;has the following alternative descriptions, depending on which application you use:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail\/mail client) (no exceptions).<\/li><li>Configuration Manager: Block executable content download from email and webmail clients.<\/li><li>Group Policy: Block executable content from email client and webmail.<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion\">Block executable files from running unless they meet a prevalence, age, or trusted list criterion<\/h3>\n\n\n\n<p>This rule blocks executable files, such as .exe, .dll, or .scr, from launching. Thus, launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.<\/p>\n\n\n\n<p>&nbsp;Important<\/p>\n\n\n\n<p>You must&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-antivirus\/enable-cloud-protection-microsoft-defender-antivirus\">enable cloud-delivered protection<\/a>&nbsp;to use this rule.<\/p>\n\n\n\n<p>The rule&nbsp;<strong>Block executable files from running unless they meet a prevalence, age, or trusted list criterion<\/strong>&nbsp;with GUID&nbsp;<code>01443614-cd74-433a-b99e-2ecdc07bfc25<\/code>&nbsp;is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.<\/p>\n\n\n\n<p>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can&#8217;t specify which rules or exclusions apply to.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Executables that don't meet a prevalence, age, or trusted list criteria<\/code><\/p>\n\n\n\n<p>Configuration Manager name:&nbsp;<code>Block executable files from running unless they meet a prevalence, age, or trusted list criteria<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>01443614-cd74-433a-b99e-2ecdc07bfc25<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrUntrustedExecutableAudited<\/li><li>AsrUntrustedExecutableBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus, Cloud Protection<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-execution-of-potentially-obfuscated-scripts\">Block execution of potentially obfuscated scripts<\/h3>\n\n\n\n<p>This rule detects suspicious properties within an obfuscated script.<\/p>\n\n\n\n<p>&nbsp;Important<\/p>\n\n\n\n<p>PowerShell scripts have been temporarily excluded from the &#8220;Block execution of potentially obfuscated scripts&#8221; rule due to a high number of false positives. We will provide an update when PowerShell scripts are included again in the scope of this rule.<\/p>\n\n\n\n<p>Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which hampers close scrutiny by humans and security software.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Obfuscated js\/vbs\/ps\/macro code<\/code><\/p>\n\n\n\n<p>Configuration Manager name:&nbsp;<code>Block execution of potentially obfuscated scripts<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>5beb7efe-fd9a-4556-801d-275e5ffc04cc<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrObfuscatedScriptAudited<\/li><li>AsrObfuscatedScriptBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus, AntiMalware Scan Interface (AMSI)<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-javascript-or-vbscript-from-launching-downloaded-executable-content\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-javascript-or-vbscript-from-launching-downloaded-executable-content\">Block JavaScript or VBScript from launching downloaded executable content<\/h3>\n\n\n\n<p>This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.<\/p>\n\n\n\n<p>Although not common, line-of-business applications sometimes use scripts to download and launch installers.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>js\/vbs executing payload downloaded from Internet (no exceptions)<\/code><\/p>\n\n\n\n<p>Configuration Manager name:&nbsp;<code>Block JavaScript or VBScript from launching downloaded executable content<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>d3e037e1-3eb8-44c8-a917-57927947596d<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrScriptExecutableDownloadAudited<\/li><li>AsrScriptExecutableDownloadBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus, AMSI<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-office-applications-from-creating-executable-content\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-office-applications-from-creating-executable-content\">Block Office applications from creating executable content<\/h3>\n\n\n\n<p>This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.<\/p>\n\n\n\n<p>Malware that abuses Office as a vector might attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. This rule also blocks execution of untrusted files that may have been saved by Office macros that are allowed to run in Office files.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Office apps\/macros creating executable content<\/code><\/p>\n\n\n\n<p>SCCM name:&nbsp;<code>Block Office applications from creating executable content<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>3b576869-a4ec-4529-8536-b80a7769e899<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrExecutableOfficeContentAudited<\/li><li>AsrExecutableOfficeContentBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus, RPC<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-office-applications-from-injecting-code-into-other-processes\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-office-applications-from-injecting-code-into-other-processes\">Block Office applications from injecting code into other processes<\/h3>\n\n\n\n<p>This rule blocks code injection attempts from Office apps into other processes.<\/p>\n\n\n\n<p>Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.<\/p>\n\n\n\n<p>There are no known legitimate business purposes for using code injection.<\/p>\n\n\n\n<p>This rule applies to Word, Excel, OneNote, and PowerPoint.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Office apps injecting code into other processes (no exceptions)<\/code><\/p>\n\n\n\n<p>Configuration Manager name:&nbsp;<code>Block Office applications from injecting code into other processes<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrOfficeProcessInjectionAudited<\/li><li>AsrOfficeProcessInjectionBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-office-communication-application-from-creating-child-processes\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-office-communication-application-from-creating-child-processes\">Block Office communication application from creating child processes<\/h3>\n\n\n\n<p>This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.<\/p>\n\n\n\n<p>This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against&nbsp;<a href=\"https:\/\/blogs.technet.microsoft.com\/office365security\/defending-against-rules-and-forms-injection\/\">Outlook rules and forms exploits<\/a>&nbsp;that attackers can use when a user&#8217;s credentials are compromised.<\/p>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>This rule blocks DLP policy tips and ToolTips in Outlook. This rule applies to Outlook and Outlook.com only.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Process creation from Office communication products (beta)<\/code><\/p>\n\n\n\n<p>Configuration Manager name: Not available<\/p>\n\n\n\n<p>GUID:&nbsp;<code>26190899-1602-49e8-8b27-eb1d0a1ce869<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrOfficeCommAppChildProcessAudited<\/li><li>AsrOfficeCommAppChildProcessBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-persistence-through-wmi-event-subscription\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-persistence-through-wmi-event-subscription\">Block persistence through WMI event subscription<\/h3>\n\n\n\n<p>This rule prevents malware from abusing WMI to attain persistence on a device.<\/p>\n\n\n\n<p>&nbsp;Important<\/p>\n\n\n\n<p>File and folder exclusions don&#8217;t apply to this attack surface reduction rule.<\/p>\n\n\n\n<p>Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Persistence through WMI event subscription<\/code><\/p>\n\n\n\n<p>Configuration Manager name: Not available<\/p>\n\n\n\n<p>GUID:&nbsp;<code>e6db77e5-3df2-4cf1-b95a-636979351e5b<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrPersistenceThroughWmiAudited<\/li><li>AsrPersistenceThroughWmiBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus, RPC<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-process-creations-originating-from-psexec-and-wmi-commands\">Block process creations originating from PSExec and WMI commands<\/h3>\n\n\n\n<p>This rule blocks processes created through&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/psexec\">PsExec<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/wmisdk\/about-wmi\">WMI<\/a>&nbsp;from running. Both PsExec and WMI can remotely execute code. There&#8217;s a risk of malware abusing functionality of PsExec and WMI for command and control purposes, or to spread an infection throughout an organization&#8217;s network.<\/p>\n\n\n\n<p>&nbsp;Warning<\/p>\n\n\n\n<p>Only use this rule if you&#8217;re managing your devices with&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/intune\">Intune<\/a>&nbsp;or another MDM solution. This rule is incompatible with management through&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/configmgr\">Microsoft Endpoint Configuration Manager<\/a>&nbsp;because this rule blocks WMI commands the Configuration Manager client uses to function correctly.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Process creation from PSExec and WMI commands<\/code><\/p>\n\n\n\n<p>Configuration Manager name: Not applicable<\/p>\n\n\n\n<p>GUID:&nbsp;<code>d1e49aac-8f56-4280-b9ba-993a6d77406c<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrPsexecWmiChildProcessAudited<\/li><li>AsrPsexecWmiChildProcessBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-untrusted-and-unsigned-processes-that-run-from-usb\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-untrusted-and-unsigned-processes-that-run-from-usb\">Block untrusted and unsigned processes that run from USB<\/h3>\n\n\n\n<p>With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)<\/p>\n\n\n\n<p>&nbsp;Important<\/p>\n\n\n\n<p>Files copied from the USB to the disk drive will be blocked by this rule if and when it&#8217;s about to be executed on the disk drive.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Untrusted and unsigned processes that run from USB<\/code><\/p>\n\n\n\n<p>Configuration Manager name:&nbsp;<code>Block untrusted and unsigned processes that run from USB<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrUntrustedUsbProcessAudited<\/li><li>AsrUntrustedUsbProcessBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-win32-api-calls-from-office-macros\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-win32-api-calls-from-office-macros\">Block Win32 API calls from Office macros<\/h3>\n\n\n\n<p>This rule prevents VBA macros from calling Win32 APIs.<\/p>\n\n\n\n<p>Office VBA enables Win32 API calls. Malware can abuse this capability, such as&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2018\/09\/12\/office-vba-amsi-parting-the-veil-on-malicious-macros\/\">calling Win32 APIs to launch malicious shellcode<\/a>&nbsp;without writing anything directly to disk. Most organizations don&#8217;t rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.<\/p>\n\n\n\n<p>Supported operating systems:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/whats-new\/whats-new-windows-10-version-1709\">Windows 10, version 1709<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/get-started\/whats-new-in-windows-server-1809\">Windows Server, version 1809<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/get-started-19\/whats-new-19\">Windows Server 2019<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/configmgr\/core\/servers\/manage\/updates\">Configuration Manager CB 1710<\/a><\/li><\/ul>\n\n\n\n<p>Intune name:&nbsp;<code>Win32 imports from Office macro code<\/code><\/p>\n\n\n\n<p>Configuration Manager name:&nbsp;<code>Block Win32 API calls from Office macros<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrOfficeMacroWin32ApiCallsAudited<\/li><li>AsrOfficeMacroWin32ApiCallsBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus, AMSI<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#use-advanced-protection-against-ransomware\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"use-advanced-protection-against-ransomware\">Use advanced protection against ransomware<\/h3>\n\n\n\n<p>This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule doesn&#8217;t block files that have one or more of the following characteristics:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The file has already been found to be unharmful in the Microsoft cloud.<\/li><li>The file is a valid signed file.<\/li><li>The file is prevalent enough to not be considered as ransomware.<\/li><\/ul>\n\n\n\n<p>The rule tends to err on the side of caution to prevent ransomware.<\/p>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>You must&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide\">enable cloud-delivered protection<\/a>&nbsp;to use this rule.<\/p>\n\n\n\n<p>Intune name:&nbsp;<code>Advanced ransomware protection<\/code><\/p>\n\n\n\n<p>Configuration Manager name:&nbsp;<code>Use advanced protection against ransomware<\/code><\/p>\n\n\n\n<p>GUID:&nbsp;<code>c1db55ab-c21a-4637-bb3f-a12568109d35<\/code><\/p>\n\n\n\n<p>Advanced hunting action type:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AsrRansomwareAudited<\/li><li>AsrRansomwareBlocked<\/li><\/ul>\n\n\n\n<p>Dependencies: Microsoft Defender Antivirus, Cloud Protection<a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#see-also\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"see-also\">See also<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-deployment?view=o365-worldwide\">Attack surface reduction (ASR) rules deployment overview<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-deployment-plan?view=o365-worldwide\">Plan attack surface reduction (ASR) rules deployment<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-deployment-test?view=o365-worldwide\">Test attack surface reduction (ASR) rules<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-deployment-implement?view=o365-worldwide\">Enable attack surface reduction (ASR) rules<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-deployment-operationalize?view=o365-worldwide\">Operationalize attack surface reduction (ASR) rules<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-report?view=o365-worldwide\">Attack surface reduction (ASR) rules report<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide\">Attack surface reduction rules reference<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/defender-endpoint-antivirus-exclusions?view=o365-worldwide\">Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus<\/a><\/li><\/ul>\n\n\n\n<p>Ref: <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference?view=o365-worldwide#block-persistence-through-wmi-event-subscription\">Attack surface reduction rules reference | Microsoft Learn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ASR rule to GUID matrix Rule Name Rule GUID Block abuse of exploited vulnerable signed drivers 56a863a9-875e-4185-98a7-b882c64b5ce5 Block Adobe Reader from creating child processes 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c Block all Office applications from creating child processes d4f940ab-401b-4efc-aadc-ad5f3c50688a Block credential stealing from the Windows local security authority subsystem (lsass.exe) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block executable content from email client and webmail be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=4793\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1185,1249,10],"tags":[1619],"class_list":["post-4793","post","type-post","status-publish","format-standard","hentry","category-autopilot-intune","category-azure-microsoft","category-microsoft","tag-deploy-attack-surface-reduction-asr-rules"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4793"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4793\/revisions"}],"predecessor-version":[{"id":4794,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4793\/revisions\/4794"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}