Kaido Jarvemets - Logo

Simplifying Cyber Defense: How to Configure Attack Surface Reduction Rules with PowerShell

Attack Surface Reduction Rules (ASR) are a set of built-in security feature in Windows systems that helps reduce the system’s attack surface by blocking malicious or unwanted activities. The rules can be enabled or disabled based on the requirement of the system and help secure the device from various types of threats, including malware, phishing, and other types of cyberattacks.

In this blog post, I will show how to use PowerShell to enable and disable ASR rules on Windows devices. I have also included a JSON file on my GitHub account where all the rules are listed.

Configurable ASR Rules

NameGUID
Block abuse of exploited vulnerable signed drivers56a863a9-875e-4185-98a7-b882c64b5ce5
Block Adobe Reader from creating child processes7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block all Office applications from creating child processesD4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block credential stealing from the Windows local security authority subsystem (lsass.exe)9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block executable content from email client and webmailBE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block executable files from running unless they meet a prevalence, age, or trusted list criterion01443614-cd74-433a-b99e-2ecdc07bfc25
Block execution of potentially obfuscated scripts5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block JavaScript or VBScript from launching downloaded executable contentD3E037E1-3EB8-44C8-A917-57927947596D
Block Office applications from creating executable content3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block Office communication application from creating child processes26190899-1602-49e8-8b27-eb1d0a1ce869
Block persistence through WMI event subscriptione6db77e5-3df2-4cf1-b95a-636979351e5b
Block process creations originating from PSExec and WMI commandsd1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USBb2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Win32 API calls from Office macros92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Use advanced protection against ransomwarec1db55ab-c21a-4637-bb3f-a12568109d35

Configuring ASR Rules one by one using PowerShell

ASR rules can be easily configured using PowerShell, which provides an efficient and powerful way to manage the attack surface reduction rules on Windows devices. With PowerShell, administrators can automate the configuration process and enforce consistent policies across the organization. The following are the steps to configure ASR rules using PowerShell:

  1. Open PowerShell as an administrator.

  2. Run the command Get-MpPreference to view the current configuration of ASR rules. Check the AttackSurfaceReductionRules_Actions and AttackSurfaceReductionRules_Ids properties

  3. To enable or disable a specific rule, use the command Add-MpPreference -AttackSurfaceReductionRule_ID ID -AttackSurfaceReductionRules_Actions Enabled/Disabled. Replace “ID” with the actual rule ID and specify “Enabled” or “Disabled” based on the desired configuration. Set-MpPreference overrides the current configuration.

The above steps are good if you want to configure ASR rules one by one. To make it easier I put together a simple PowerShell script that reads the ASR rules from the JSON file and enables them based on the configuration file.

Configuring multiple ASR Rules using PowerShell

Below script retrieves a JSON file from a URL and converts it into an object in PowerShell. It then loops through the elements in the object, which represent Attack Surface Reduction rules, and sets each rule based on the status.

				
					#Attack Surface Reduction Rules JSON File
$URL = "https://raw.githubusercontent.com/Kaidja/Defender-for-Endpoint/main/AttackSurfaceReductionRules.json"
#Convert ASR Rules from JSON
$ASRRules = (Invoke-WebRequest -Uri $URL -UseBasicParsing).Content | ConvertFrom-Json
foreach($Rule in $ASRRules){

    $ASRRuleName = $Rule.Name
    $ASRRuleGUID = $Rule.GUID

    Write-Output -InputObject "Working on $ASRRuleName. Setting the rule to Audit Mode"
    Add-MpPreference -AttackSurfaceReductionRules_Ids $Rule.GUID -AttackSurfaceReductionRules_Actions AuditMode

}
				
			

Attack Surface Reduction JSON File

Below file is published on my GitHub account.

				
					[
    {
        "Name":  "Block abuse of exploited vulnerable signed drivers",
        "GUID":  "56a863a9-875e-4185-98a7-b882c64b5ce5",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block Adobe Reader from creating child processes",
        "GUID":  "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block all Office applications from creating child processes",
        "GUID":  "D4F940AB-401B-4EFC-AADC-AD5F3C50688A",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block credential stealing from the Windows local security authority subsystem (lsass.exe)",
        "GUID":  "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block executable content from email client and webmail",
        "GUID":  "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block executable files from running unless they meet a prevalence, age, or trusted list criterion",
        "GUID":  "01443614-cd74-433a-b99e-2ecdc07bfc25",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block execution of potentially obfuscated scripts",
        "GUID":  "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block JavaScript or VBScript from launching downloaded executable content",
        "GUID":  "D3E037E1-3EB8-44C8-A917-57927947596D",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block Office applications from creating executable content",
        "GUID":  "3B576869-A4EC-4529-8536-B80A7769E899",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block Office applications from injecting code into other processes",
        "GUID":  "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block Office communication application from creating child processes",
        "GUID":  "26190899-1602-49e8-8b27-eb1d0a1ce869",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block persistence through WMI event subscription",
        "GUID":  "e6db77e5-3df2-4cf1-b95a-636979351e5b",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block process creations originating from PSExec and WMI commands",
        "GUID":  "d1e49aac-8f56-4280-b9ba-993a6d77406c",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block untrusted and unsigned processes that run from USB",
        "GUID":  "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block Win32 API calls from Office macros",
        "GUID":  "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B",
        "Status":  "Enabled"
    },
    {
        "Name":  "Use advanced protection against ransomware",
        "GUID":  "c1db55ab-c21a-4637-bb3f-a12568109d35",
        "Status":  "Enabled"
    }
]
				
			

Summary

Attack Surface Reduction Rules play an important role in maintaining the security of a system. If you have not yet implemented these rules, now is the time to start testing their impact on your organization. By setting rules to Audit Mode, you can evaluate their potential impact and make informed decisions about which rules to enable or block. With the increase in cyber threats, it is crucial to implement all necessary measures to protect your system. Don’t wait any longer, start testing Attack Surface Reduction Rules today!

Leave a Reply

Contact me

If you’re interested in learning about Simplifying Cyber Defense: How to Configure Attack Surface Reduction Rules with PowerShell. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents