Microsoft Defender for Endpoint (MDE) offers robust protection against modern cyber threats, leveraging Attack Surface Reduction (ASR) rules to block suspicious behaviors and harden vulnerable areas of your organization’s security posture. These rules are continually evaluated and expanded to address emerging attack methods.
In the previous two articles (Introduction to Attack Surface Reduction and Understanding ASR Rules) we covered the basics of the ASR rules. Today, we will delve deeper and explore the most important ASR rules and their functions.

Understanding ASR Rules

ASR rules are designed to limit avenues attackers can exploit. By targeting specific behaviors and patterns, these rules proactively block malicious actions while supporting exclusions for legitimate use cases. Microsoft has categorized these rules into productivity app rules, script rules, communication app rules, polymorphic threat rules, human-operated ransomware rules, and lateral movement and credential theft rules.

Key ASR Rules and Their Functions

Productivity App Rules

Productivity apps like Microsoft Office are common targets for attackers. ASR rules in this category protect against exploits by blocking harmful actions often observed in attacks:

• Block Office applications from creating executable content
  It prevents malicious files from being created and executed via Office apps, such as Word and Excel.
• Block Office applications from creating child processes
  Blocks any child processes initiated by Office apps, mitigating risks like PowerShell or Command Prompt abuse.
• Block Office applications from injecting code into other processes
  Halts attempt to inject malicious code into legitimate processes, a tactic often used to bypass detection.
• Block Win32 API calls from Office macros
  Disallows macros from executing Win32 API calls, a known method for launching fileless malware.
• Block Adobe Reader from creating child processes
  Protects against exploits targeting Adobe Reader by blocking child process creation.

These rules allow exceptions when necessary, ensuring functionality for trusted applications while maintaining security.

Script Rules

Scripts are a favored tool for attackers due to their flexibility and ease of obfuscation. These ASR rules focus on detecting and blocking malicious script activity:

• Block execution of potentially obfuscated scripts
  Uses machine learning to identify and block suspicious scripts, even those heavily obfuscated.
• Block JavaScript/VBScript from launching downloaded executable content
  Prevents malicious scripts from executing binaries downloaded during attacks.

Exclusions can be configured to support legitimate script use in your environment.

Communication App Rules

Email remains a primary attack vector for delivering malicious payloads. These ASR rules secure email communications:

• Block executable content from email client and webmail
  Blocks executables and script files delivered through email attachments or webmail.
• Block Office communication applications from creating child processes
  Protects against exploits leveraging applications like Outlook to execute harmful processes.

Polymorphic Threat Rules

Attackers often use polymorphic malware—new and unrecognized files designed to evade detection. These ASR rules address this challenge:

• Block executable files from running unless they meet a prevalence, age, or trusted list criteria
  Prevents the execution of new, unsigned, or untrusted files.
• Block untrusted and unsigned processes that run from USB
  Stops unsigned executables from launching directly from USB drives.

Human-Operated Ransomware Rules

Ransomware attacks often involve sophisticated techniques to gain access and encrypt critical data. These rules help mitigate such risks:

• Block abuse of exploited vulnerable signed drivers
  Prevents vulnerable signed drivers from being used to gain kernel-level access.
• Use advanced protection against ransomware
  Employs heuristic detection to block files with properties commonly associated with ransomware.

Lateral Movement and Credential Theft Rules

Attackers often attempt lateral movement within a network to expand their control. These ASR rules disrupt such activities:

• Block process creations originating from PsExec and WMI commands
  Halts processes initiated via PsExec or WMI, common tools for lateral movement.
• Block credential stealing from the Windows LSASS (lsass.exe)
  Prevents unauthorized access to LSASS memory, blocking credential theft.
• Block persistence through WMI event subscription
  Blocks attackers from using WMI events to deploy persistent malicious code.

Conclusion

Microsoft Defender for Endpoint’s ASR rules provide comprehensive protection by reducing attack surfaces and mitigating risks associated with common exploitation techniques. By implementing these rules strategically, organizations can strengthen their defenses and protect critical assets against modern cyber threats.