14 KiB
title, description, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.author, ms.date
| title | description | keywords | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.localizationpriority | author | ms.author | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Use attack surface reduction rules to prevent malware infection | ASR rules can help prevent exploits from using apps and scripts to infect machines with malware | Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention | eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | andreabichsel | v-anbic | 11/29/2018 |
Reduce attack surfaces with attack surface reduction rules
Applies to:
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides:
- Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
- Scripts that are obfuscated or otherwise suspicious
- Behaviors that apps undertake that are not usually initiated during normal day-to-day work
- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks
- Analytics to enable ease of deployment, by using audit mode to show how attack surface reduction rules would impact your organization if they were enabled
When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can customize the notification with your company details and contact information.
Attack surface reduction is supported on Windows 10, version 1709 and later and Windows Server 2019.
Requirements
Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and Windows Defender AV real-time protection.
Attack surface reduction rules
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table.
| Rule name | GUID |
|---|---|
| Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 |
| Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A |
| Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 |
| Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 |
| Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D |
| Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC |
| Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B |
| Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 |
| Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 |
| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 |
| Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c |
| Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 |
| Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 |
| Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c |
Rule: Block executable content from email client and webmail
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Script archive files
Rule: Block all Office applications from creating child processes
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
Note
This does not include Outlook. For Outlook, please see Block Office communication applications from creating child processes.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
Rule: Block Office applications from creating executable content
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
Rule: Block Office applications from injecting code into other processes
Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes.
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
Rule: Block JavaScript or VBScript From launching downloaded executable content
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
This rule prevents scripts that appear to be obfuscated from running.
Rule: Block Win32 API calls from Office macro
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
- Executable files (such as .exe, .dll, or .scr)
Note
You must enable cloud-delivered protection to use this rule.
Rule: Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
Note
You must enable cloud-delivered protection to use this rule.
Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
Note
Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
Rule: Block process creations originating from PSExec and WMI commands
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
Warning
[Only use this rule if you are managing your devices with Intune or another MDM solution. This rule is incompatible with management through System Center Configuration Manager because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
Rule: Block untrusted and unsigned processes that run from USB
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
Rule: Block Office communication application from creating child processes
Outlook will not be allowed to create child processes.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
Note
This rule applies to Outlook only.
Rule: Block Adobe Reader from creating child processes
This rule blocks Adobe Reader from creating child processes.
Review attack surface reduction rule events in the Windows Defender ATP Security Center
Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
You can query Windows Defender ATP data by using Advanced hunting. If you're using audit mode, you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled.
Review attack surface reduction rule events in Windows Event Viewer
You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
-
Download the Exploit Guard Evaluation Package and extract the file asr-events.xml to an easily accessible location on the machine.
-
Type Event viewer in the Start menu to open the Windows Event Viewer.
-
On the left panel, under Actions, click Import custom view...
-
Navigate to the Exploit Guard Evaluation Package, and select the file asr-events.xml. Alternatively, copy the XML directly.
-
Click OK.
-
This will create a custom view that filters to only show the following events related to attack surface reduction rules:
| Event ID | Description |
|---|---|
| 5007 | Event when settings are changed |
| 1122 | Event when rule fires in Audit-mode |
| 1121 | Event when rule fires in Block-mode |
Event fields
- ID: matches with the Rule-ID that triggered the block/audit.
- Detection time: Time of detection
- Process Name: The process that performed the "operation" that was blocked/audited
- Description: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
Attack surface reduction rules in Windows 10 Enterprise E3
A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see Use attack surface reduction rules in Windows 10 Enterprise E3.
In this section
| Topic | Description |
|---|---|
| Evaluate attack surface reduction rules | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. |
| Enable attack surface reduction rules | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. |
| Customize attack surface reduction rules | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. |