Attack Surface Reduction

In this blog post I will go through some of the different configuration options available for Attack Surface Reduction using Endpoint Manager (Intune), Defender for Endpoint and analyzing the rules locally using Powershell.

Short introduction
Attack Surface Reduction Rules in Windows 10 is a set of rules, designed to defend against different types of software behavior.
Examples of what they are aimed to do is prohibit malicious activities originating from:
– Executables and scripts (downloading or running files)
– Obfuscated and suspicious scripts
– Mitigation against uncommon behavior from apps (process-creation, execution etc.)

Attack Surface Reduction is available for Windows 10 Pro and Windows 10 E3 and E5.
E5 adds additional monitoring and analysis capabilities which natively is integrated into Defender for Endpoint.

Configuration options in Intune

Generally, your configuration options per rule are:
– Not Configured
– Audit
– Block

First option is to use a configuration profile in Intune (Endpoint Protection)
You will find it here: Endpoint Manager > Device Configuration Profile > Template > Endpoint Protection

Here you also have the ability to utilize exceptions for files and folders if needed. 

Second option is to use the new Settings catalog on the Category Defender will yield the same configurable settings as seen below.

Third option is to use the rules in a Security Baseline (MDM or Defender for Endpoint).
MDM Security Baseline – Rules are a bit scattered and located in the category Microsoft Defender. They needs to be configured manually per rule.

In the Defender for Endpoint Baseline the Attack Surface Reduction Rules are pre-configured for you.

Fourth option is configuring the settings using Endpoint Security
Endpoint Security > Attack Surface Reduction

Basically the same as the Endpoint Protection option. Controlled Folder Access is also included in this policy.
Fifth option is using OMA-URI but generally I would not recommend it.

Monitoring Attack Surface Reduction

Monitor locally in a Windows Device
When a Rule is in place, either in audit or block mode. With Windows 10 E3 you will need to monitor the status of the different ASR-rules in the local event log of the device.

Attack Surface ReductionMicrosoft/Windows/Windows Defender/Operational5007Event when settings are changed
 Windows Defender (Operational)1122Event when rule fires in Audit-mode
 Windows Defender (Operational)1121Event when rule fires in Block-mode
Controlled Folder Access /
Advanced Ransomware Protection
Microsoft/Windows/Windows Defender/Operational5007Event when settings are changed
 Windows Defender (Operational)1124       Audited controlled folder access event
 Windows Defender (Operational)1123       Blocked controlled folder access event

Monitor using Defender for Endpoint
If you are using Defender for Endpoint (are using M365 E5) then you can use the Security-portal for some of the configuration and also utilize it for optimal monitoring of ASR-detections.

Configurations –

Detections –
Here you will see detections and the full path to related applications, services who are impacted by the auditing or blocking. Since this is visible centrally, it’s the easiest place to find the information you need for mitigations/adjustments.
Advanced Hunting
Status of ASR-rules can also be verified through Advanced Hunting (in Defender for Endpoint or in the M365 Defender Security Center) Example KQL Query:

| where ActionType startswith ‘Asr’

Local ASR Script Analyzer and the ASR GUI
ASR Analyzer is a simple Powershell-script which will analyze your current ASR-rules settings in your device.
Script is from anthonws and can be downloaded here. Testing it on my device shows that currently, no rules are in audit nor in block mode.

If we just want to test things locally, without configuring anything centrally I would recommend using the ASR GUI by hemaurer. By running the ASR GUI we can in a very quick and easy manner enable every rule and then save the configuration (notice the current ASR-settings detected at the bottom).

If we run the ASR-Analyzer script again, we see that every ASR-rule now is in block mode.

Attack Surface Reduction technical defense role in a real world example
Below, you’ll see Doppelpaymer Ransomware’s attack chain to the right with each step categorized by MTRE ATTACK classifications. To the left you see the recommended mitigations and defenses against each technique where some of them are mapped to it’s corresponding ASR-rules.

Further reading from Microsoft on the topic of Ransomware and Attack Surface Reduction here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: