Configure Attack Surface Reduction Rules

📋 Overview

About This Lab

Attack Surface Reduction (ASR) rules are a set of configurable controls in Microsoft Defender for Endpoint that block common malware techniques at the operating system level. ASR rules target behaviors such as Office macro abuse, credential theft via LSASS, script-based attacks, executable content in emails, and exploit techniques used by commodity malware. Each rule can operate in one of three modes: Audit (log only), Block (enforce), or Warn (prompt the user before allowing). This lab walks you through a complete enterprise deployment: audit, analyze, exclude, block, and monitor.

🏢 Enterprise Use Case

Scenario: A healthcare organization with 3,000 Windows workstations is experiencing increasing commodity malware attacks.

Attackers are exploiting Office macros, credential theft tools, and script-based attack vectors to gain footholds. The security team needs to block these vectors without disrupting clinical workflows or breaking line-of-business applications. The organization uses Microsoft Intune for endpoint management and requires a phased, low-risk deployment approach.

Success criteria: all high-confidence ASR rules in block mode, zero clinical workflow disruptions, and full visibility into ASR events.

🎯 What You Will Learn

Understand the full catalog of ASR rules and their categories
Deploy ASR rules in audit mode via Microsoft Intune
Analyze ASR audit data to identify false positives and legitimate blocks
Transition rules from audit to block mode using a phased approach
Configure per-rule exclusions to prevent workflow disruptions
Monitor ASR effectiveness with advanced hunting KQL queries
Create custom ASR reporting dashboards for stakeholder visibility
Troubleshoot ASR-related application compatibility issues

🔑 Why This Matters

70% of successful malware attacks use techniques that ASR rules can block, including Office macro abuse, credential theft, and script-based execution. ASR rules are one of the most impactful security controls available, operating at the OS level to prevent exploitation before damage can occur. Without ASR rules, endpoints remain vulnerable to common attack vectors even when antivirus signatures are up to date. A structured deployment ensures protection without disrupting productivity, building trust with end users and business stakeholders. Proper monitoring gives the security team continuous visibility into blocked threats, proving the value of endpoint hardening.

⚙️ Prerequisites

Licensing: Microsoft Defender for Endpoint Plan 2 (or Microsoft 365 E5 / E5 Security)
Operating System: Windows 10 version 1709 or later, or Windows 11
Cloud Protection: Microsoft Defender Antivirus cloud-delivered protection must be enabled
Intune: Devices enrolled in Microsoft Intune with appropriate device compliance policies
Portal Access: Security Administrator or Endpoint Security Manager role in security.microsoft.com and intune.microsoft.com
Antivirus: Microsoft Defender Antivirus in active mode (not passive or disabled)
Real-Time Protection: Real-time protection and behavior monitoring enabled on all target endpoints
Network: Outbound HTTPS (443) connectivity to MDE cloud service URLs

⚠️ Important: ASR rules require Microsoft Defender Antivirus to be the primary antivirus solution. If a third-party AV is installed, ASR rules will not function. Verify AV status with Get-MpComputerStatus | Select-Object AMRunningMode before proceeding.

Step 1 · Understand ASR Rules and Categories

ASR rules target specific behaviors that malware commonly exploits. Before deploying, familiarize yourself with the full catalog of available rules and their categories. Each rule targets a distinct attack technique.

ASR Rule Categories

Office Rules: Block Office apps from creating executable content, injecting code into other processes, and creating child processes
Script Rules: Block obfuscated scripts, JavaScript/VBScript launching downloaded executables, and untrusted/unsigned processes from USB
Email Rules: Block executable content from email client and webmail attachments
Credential Protection: Block credential stealing from the Windows LSASS subsystem
Ransomware Protection: Use advanced protection against ransomware via behavioral analysis
Exploit Protection: Block process creations originating from PSExec and WMI commands, block abuse of exploited vulnerable signed drivers
Persistence Prevention: Block persistence through WMI event subscription, and block Win32 API calls from Office macros

Key Rule GUIDs

# ===========================================================
# ASR RULE GUID REFERENCE - Complete catalog of all 19 rules.
# Each rule blocks a specific MITRE ATT&CK technique at the
# endpoint level before execution.
# Modes: 0=Disabled, 1=Block, 2=Audit, 6=Warn
# ===========================================================

# --- Office Rules (MITRE T1566.001 Phishing: Spearphishing Attachment) ---

# Block Office apps from creating executable content
# WHY: Prevents macros from dropping .exe/.dll payloads to disk.
#      Malware abuses Office as a persistence vector by saving
#      malicious components (executables, scripts) to disk so they
#      survive a reboot and execute later.
# MITRE: T1204.002 (User Execution: Malicious File)
# APPLIES TO: Word, Excel, PowerPoint, OneNote, Access
3B576869-A4EC-4529-8536-B80A7769E899

# Block all Office apps from creating child processes
# WHY: Stops Word/Excel/PowerPoint/OneNote/Access from spawning
#      cmd.exe, powershell.exe, mshta.exe, wscript.exe, etc.
#      Macro-based malware commonly spawns a shell to download
#      and execute second-stage payloads.
# MITRE: T1059 (Command and Scripting Interpreter)
# APPLIES TO: Word, Excel, PowerPoint, OneNote, Access
D4F940AB-401B-4EFC-AADC-AD5F3C50688A

# Block Office apps from injecting code into other processes
# WHY: Prevents DLL injection / process hollowing from Office macros.
#      Attackers use code injection to migrate malicious code into
#      a clean process (e.g., explorer.exe) so it masquerades as
#      legitimate activity and evades detection.
# MITRE: T1055 (Process Injection)
# APPLIES TO: Word, Excel, OneNote, PowerPoint
# NOTE: Requires restarting Microsoft 365 Apps after configuration.
#       Does NOT support Warn mode.
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

# Block Office communication application from creating child processes
# WHY: Prevents Outlook from spawning child processes while still
#      allowing legitimate Outlook functions. Attackers exploit
#      Outlook rules and forms to execute arbitrary commands when
#      a user's credentials are compromised.
# MITRE: T1137 (Office Application Startup),
#        T1059 (Command and Scripting Interpreter)
# APPLIES TO: Outlook
26190899-1602-49E8-8B27-EB1D0A1CE869

# Block Win32 API calls from Office macros
# WHY: Prevents VBA macros from calling Win32 APIs directly.
#      Malware abuses Win32 API calls from VBA to launch shellcode
#      entirely in memory without writing anything to disk,
#      bypassing file-based detection.
# MITRE: T1106 (Native API), T1059.005 (Visual Basic)
# NOTE: Only supported on Windows 10; not on Windows Server.
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

# --- Adobe Reader Rules ---

# Block Adobe Reader from creating child processes
# WHY: Prevents Adobe Reader from spawning processes after opening
#      a malicious PDF. Attackers embed exploits or social engineering
#      lures in PDFs that, when opened, launch cmd.exe, powershell.exe,
#      or mshta.exe to download second-stage payloads.
# MITRE: T1204.002 (User Execution: Malicious File),
#        T1566.001 (Phishing: Spearphishing Attachment)
# APPLIES TO: Adobe Acrobat Reader
7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C

# --- Script Rules (MITRE T1059 Command and Scripting Interpreter) ---

# Block execution of potentially obfuscated scripts
# WHY: Detects Base64 encoding, string concatenation, and character
#      replacement patterns commonly used to evade static detection.
#      Malware authors obfuscate scripts to hide malicious intent;
#      legitimate software rarely uses heavy obfuscation.
# MITRE: T1027 (Obfuscated Files or Information)
# NOTE: Requires cloud-delivered protection (MAPS) enabled.
#       Supports PowerShell, JavaScript, and VBScript.
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

# Block JavaScript or VBScript from launching downloaded executable content
# WHY: Prevents script-based download cradles (e.g., wscript downloading
#      and running a .exe from the internet). JS/VBS downloaders are
#      among the most common initial access vectors in phishing campaigns.
# MITRE: T1059.005 (Visual Basic), T1059.007 (JavaScript)
D3E037E1-3EB8-44C8-A917-57927947596D

# --- Email Rules (MITRE T1566.001 Phishing: Spearphishing Attachment) ---

# Block executable content from email client and webmail
# WHY: Prevents users from running .exe, .dll, .scr, .ps1, .vbs, .js,
#      and archive files directly from Outlook or browser-based webmail.
#      Email-borne executables are a top initial access vector.
# APPLIES TO: Microsoft Outlook desktop app, Outlook.com, and other
#             popular webmail providers accessed via browser.
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

# --- Credential Protection (MITRE T1003.001 OS Credential Dumping: LSASS Memory) ---

# Block credential stealing from LSASS
# WHY: Prevents tools like Mimikatz, ProcDump, and comsvcs.dll from
#      reading LSASS process memory to extract plaintext passwords,
#      NTLM hashes, and Kerberos tickets.
# DETECTION: Any non-system process accessing lsass.exe memory.
#            True positive = credential theft tool; false positive = rare
#            (some legacy AV or monitoring agents may trigger this).
# NOTE: Not required if LSA protection is already enabled.
#       Skip audit mode - go straight to block (high volume of
#       benign audit events, almost all safe to ignore).
9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2

# --- Ransomware Protection (MITRE T1486 Data Encrypted for Impact) ---

# Use advanced protection against ransomware
# WHY: Machine-learning model analyzes file characteristics and behavior
#      patterns to block files that resemble ransomware payloads.
#      Uses both client and cloud heuristics. Files that are signed,
#      prevalent, or deemed unharmful by cloud analysis are allowed.
# NOTE: Requires cloud-delivered protection (MAPS) for real-time verdicts.
C1DB55AB-C21A-4637-BB3F-A12568109D35

# --- Exploit Protection ---

# Block abuse of exploited vulnerable signed drivers
# WHY: Prevents applications from writing a vulnerable signed driver
#      to disk. Attackers use legitimately signed but vulnerable
#      drivers to gain kernel-level access, disable security tools,
#      or escalate privileges (Bring Your Own Vulnerable Driver).
# MITRE: T1068 (Exploitation for Privilege Escalation),
#        T1562.001 (Impair Defenses: Disable or Modify Tools)
# NOTE: Does NOT block a vulnerable driver already loaded in memory.
#       Standard protection rule - Microsoft recommends always enabling.
56A863A9-875E-4185-98A7-B882C64B5CE5

# Block process creations originating from PSExec and WMI commands
# WHY: Blocks processes spawned by PsExec and WMI remote execution.
#      Attackers abuse these tools for lateral movement and remote
#      command execution across the network.
# MITRE: T1570 (Lateral Tool Transfer), T1047 (WMI)
# WARNING: Incompatible with Microsoft Configuration Manager (SCCM/MECM)
#          because SCCM uses WMI commands for normal client operations.
#          Only use this rule if devices are managed by Intune or another MDM.
D1E49AAC-8F56-4280-B9BA-993A6D77406C

# Block rebooting machine in Safe Mode
# WHY: Prevents attackers from using bcdedit/bootcfg to force a reboot
#      into Safe Mode where most security products are disabled or
#      operate in limited capacity. Attackers use Safe Mode to tamper
#      with defenses, encrypt files, or exfiltrate data undetected.
# MITRE: T1562.009 (Impair Defenses: Safe Mode Boot)
# NOTE: Safe Mode is still accessible manually from Windows Recovery.
33DDEDF1-C6E0-47CB-833E-DE6133960387

# --- USB / Removable Media ---

# Block untrusted and unsigned processes that run from USB
# WHY: Prevents unsigned or untrusted executables (.exe, .dll, .scr)
#      from running off USB removable drives and SD cards.
#      Blocks execution when the file is copied from USB to the disk
#      and about to be executed - stops USB-based malware delivery.
# MITRE: T1091 (Replication Through Removable Media),
#        T1052 (Exfiltration Over Physical Medium)
B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4

# --- Prevalence / Reputation ---

# Block executable files unless they meet prevalence, age, or trusted list
# WHY: Blocks unknown executables that haven't built reputation yet.
#      Uses cloud-delivered protection to maintain a regularly-updated
#      trusted list. Prevents running of novel/zero-day malware that
#      has no known prevalence in the environment.
# MITRE: T1204.002 (User Execution: Malicious File)
# NOTE: Requires cloud-delivered protection (MAPS) enabled.
#       Can cause false positives with custom/internal tools - test
#       thoroughly and use per-rule exclusions.
01443614-CD74-433A-B99E-2ECDC07BFC25

# --- Persistence Prevention ---

# Block persistence through WMI event subscription
# WHY: Prevents malware from creating WMI event subscriptions that
#      execute code when specific system events occur (e.g., logon,
#      timer, process start). This is a fileless persistence technique
#      that survives reboots without writing to the filesystem.
# MITRE: T1546.003 (Event Triggered Execution: WMI Event Subscription)
# NOTE: Standard protection rule - Microsoft recommends always enabling.
#       If using SCCM/MECM, audit for 60 days before switching to block.
E6DB77E5-3DF2-4CF1-B95A-636979351E5B

# --- Impersonation / Living-off-the-Land ---

# Block use of copied or impersonated system tools
# WHY: Detects and blocks executables that are copies or impostors
#      of Windows system tools (e.g., renamed cmd.exe, powershell.exe).
#      Attackers duplicate or impersonate built-in tools to evade
#      detection rules that monitor original file paths.
# MITRE: T1036 (Masquerading),
#        T1036.003 (Rename System Utilities)
C0033C00-D16D-4114-A5A0-DC9B3A7D2CEB

# --- Server Protection ---

# Block Webshell creation for Servers
# WHY: Prevents creation of web shell scripts on Microsoft Server
#      with the Exchange role. Web shells give attackers persistent
#      remote command execution on a compromised server, enabling
#      data exfiltration, lateral movement, and further compromise.
# MITRE: T1505.003 (Server Software Component: Web Shell)
# APPLIES TO: Windows Server with Exchange role only.
#             Not supported on Windows 10/11 client machines.
A8F5898E-1DC8-49A9-9878-85004B8A61E6

💡 Pro Tip: Microsoft regularly adds new ASR rules. Always check the ASR rules reference for the latest catalog before deploying.

Step 2 · Review ASR Rule Prerequisites

Before deploying ASR rules, verify that your endpoints meet all requirements. ASR rules depend on specific platform versions and Defender Antivirus configurations.

Verify each target device is running Windows 10 version 1709 or later, or Windows 11
Confirm Microsoft Defender Antivirus is the active antivirus provider (not in passive mode)
Ensure cloud-delivered protection is enabled in Defender Antivirus settings
Verify that real-time protection and behavior monitoring are turned on
Check that devices are onboarded to MDE and reporting healthy sensor status

# ---------------------------------------------------------
# WHAT: Verify Defender AV is active and cloud protection is on
# WHY:  ASR rules ONLY function when Defender AV is the primary
#       antivirus (not passive mode). Cloud protection is required
#       for rules that use cloud-based machine learning verdicts.
# ---------------------------------------------------------

# Check AV operational status
# AMRunningMode: "Normal" = primary AV (required for ASR)
#                "Passive" = 3rd-party AV installed (ASR won't work)
#                "SxS Passive" = side-by-side passive mode
# RealTimeProtectionEnabled: Must be True for ASR enforcement
# BehaviorMonitorEnabled: Must be True for behavioral ASR rules
# IoavProtectionEnabled: Internet-origin file scanning (download protection)
Get-MpComputerStatus | Select-Object AMRunningMode,
    RealTimeProtectionEnabled,
    BehaviorMonitorEnabled,
    IoavProtectionEnabled,
    AntivirusEnabled

# Verify cloud-delivered protection settings
# MAPSReporting: 0=Disabled, 1=Basic, 2=Advanced
#   REQUIRED: Must be >= 1; set to 2 for full ASR cloud rule support.
# SubmitSamplesConsent: 0=Prompt, 1=Safe, 2=Never, 3=All
Get-MpPreference | Select-Object MAPSReporting,
    SubmitSamplesConsent

# Check if any ASR rules are already configured on this device
# OUTPUT: Arrays of rule GUIDs and their corresponding action values.
#   Empty arrays = no ASR rules configured yet.
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids,
    AttackSurfaceReductionRules_Actions

⚠️ Important: If MAPSReporting is set to 0 (Disabled), ASR rules that rely on cloud protection will not function correctly. Set it to 2 (Advanced) for full ASR rule support.

Step 3 · Create a Test Device Group in Intune

Create a dedicated device group for your ASR pilot deployment. This allows you to test rules on a controlled subset of devices before rolling out to the entire organization.

Navigate to intune.microsoft.com and sign in with your administrator credentials
Go to Groups > New group
Set Group type to Security, name it ASR-Pilot-Devices
Set Membership type to Assigned and add 10-20 representative devices from different departments
Include devices from clinical workstations, administrative desktops, and IT staff machines to ensure broad coverage
Click Create to save the group
Create a second group named ASR-Production-Devices for the broader rollout later

💡 Pro Tip: Use dynamic device groups with membership rules based on device attributes (e.g., department or OS version) to automatically populate your ASR groups as new devices enroll.

Step 4 · Deploy ASR Rules in Audit Mode via Intune

Deploy all ASR rules in audit mode first. Audit mode logs events without blocking anything, giving you visibility into what would be blocked before enforcing the rules.

In the Intune portal, navigate to Endpoint security > Attack surface reduction
Click + Create Policy
Select Platform: Windows 10, Windows 11, and Windows Server
Select Profile: Attack Surface Reduction Rules
Name the policy ASR-Audit-Pilot and provide a description
In the Configuration settings, set each ASR rule to Audit mode
Assign the policy to the ASR-Pilot-Devices group
Click Create to deploy the policy

Alternative: Deploy via PowerShell

For testing on individual machines, you can add ASR rules in audit mode directly via PowerShell.

# ---------------------------------------------------------
# WHAT: Deploy ASR rules in Audit mode via PowerShell
# WHY:  Audit mode (action value 2) logs what WOULD be blocked
#       without actually blocking it. This is the safe first step
#       to assess impact on legitimate workflows before enforcing.
# ACTION VALUES: 0=Disabled, 1=Block, 2=Audit, 6=Warn
# NOTE: Use Add-MpPreference to append rules; Set-MpPreference
#       would overwrite all existing rules.
# ---------------------------------------------------------

# --- Office Rules ---

# Block Office apps from creating executable content (Audit)
# MITRE: T1204.002 - logs when macros try to drop executables to disk
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 `
    -AttackSurfaceReductionRules_Actions 2

# Block all Office apps from creating child processes (Audit)
# MITRE: T1059 - logs when Word/Excel/PowerPoint spawns cmd, powershell, etc.
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
    -AttackSurfaceReductionRules_Actions 2

# Block Office apps from injecting code into other processes (Audit)
# MITRE: T1055 - logs DLL injection / process hollowing from Office macros
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 `
    -AttackSurfaceReductionRules_Actions 2

# Block Office communication application from creating child processes (Audit)
# MITRE: T1137/T1059 - logs when Outlook spawns child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 `
    -AttackSurfaceReductionRules_Actions 2

# Block Win32 API calls from Office macros (Audit)
# MITRE: T1106 - logs when VBA macros call Win32 APIs (e.g., shellcode launch)
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B `
    -AttackSurfaceReductionRules_Actions 2

# --- Adobe Reader Rules ---

# Block Adobe Reader from creating child processes (Audit)
# MITRE: T1204.002 - logs when Adobe Reader spawns cmd, powershell, etc.
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C `
    -AttackSurfaceReductionRules_Actions 2

# --- Script Rules ---

# Block execution of potentially obfuscated scripts (Audit)
# MITRE: T1027 - logs Base64-encoded or string-concatenated scripts
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC `
    -AttackSurfaceReductionRules_Actions 2

# Block JavaScript or VBScript from launching downloaded executables (Audit)
# MITRE: T1059.005/T1059.007 - logs script-based download cradles
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D `
    -AttackSurfaceReductionRules_Actions 2

# --- Email Rules ---

# Block executable content from email client and webmail (Audit)
# MITRE: T1566.001 - logs when .exe/.dll/.scr/.ps1 run directly from email
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 `
    -AttackSurfaceReductionRules_Actions 2

# --- Credential Protection ---

# Block credential stealing from LSASS (Audit)
# MITRE: T1003.001 - logs LSASS memory access by non-system processes
# WHY: Critical rule - detects Mimikatz, ProcDump, comsvcs.dll targeting lsass.exe
Add-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 `
    -AttackSurfaceReductionRules_Actions 2

# --- Ransomware Protection ---

# Use advanced protection against ransomware (Audit)
# MITRE: T1486 - ML-based detection of ransomware file characteristics
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 `
    -AttackSurfaceReductionRules_Actions 2

# --- Exploit Protection ---

# Block abuse of exploited vulnerable signed drivers (Audit)
# MITRE: T1068 - logs when apps try to write vulnerable signed drivers to disk
Add-MpPreference -AttackSurfaceReductionRules_Ids 56A863A9-875E-4185-98A7-B882C64B5CE5 `
    -AttackSurfaceReductionRules_Actions 2

# Block process creations originating from PSExec and WMI commands (Audit)
# MITRE: T1570/T1047 - logs lateral movement via PsExec or WMI remote execution
# WARNING: Incompatible with SCCM/MECM - only use with Intune-managed devices
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C `
    -AttackSurfaceReductionRules_Actions 2

# Block rebooting machine in Safe Mode (Audit)
# MITRE: T1562.009 - logs bcdedit/bootcfg attempts to force Safe Mode reboot
Add-MpPreference -AttackSurfaceReductionRules_Ids 33DDEDF1-C6E0-47CB-833E-DE6133960387 `
    -AttackSurfaceReductionRules_Actions 2

# --- USB / Removable Media ---

# Block untrusted and unsigned processes that run from USB (Audit)
# MITRE: T1091 - logs unsigned executables running from USB/SD cards
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 `
    -AttackSurfaceReductionRules_Actions 2

# --- Prevalence / Reputation ---

# Block executables unless they meet prevalence, age, or trusted list (Audit)
# MITRE: T1204.002 - logs unknown executables that lack cloud reputation
# NOTE: Requires cloud protection; may flag custom/internal tools
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 `
    -AttackSurfaceReductionRules_Actions 2

# --- Persistence Prevention ---

# Block persistence through WMI event subscription (Audit)
# MITRE: T1546.003 - logs fileless persistence via WMI event consumers
Add-MpPreference -AttackSurfaceReductionRules_Ids E6DB77E5-3DF2-4CF1-B95A-636979351E5B `
    -AttackSurfaceReductionRules_Actions 2

# --- Impersonation / Living-off-the-Land ---

# Block use of copied or impersonated system tools (Audit)
# MITRE: T1036 - logs renamed/duplicated system tools (e.g., renamed cmd.exe)
Add-MpPreference -AttackSurfaceReductionRules_Ids C0033C00-D16D-4114-A5A0-DC9B3A7D2CEB `
    -AttackSurfaceReductionRules_Actions 2

# --- Server Protection ---

# Block Webshell creation for Servers (Audit)
# MITRE: T1505.003 - logs web shell creation on Exchange servers
# NOTE: Only applies to Windows Server with Exchange role
Add-MpPreference -AttackSurfaceReductionRules_Ids A8F5898E-1DC8-49A9-9878-85004B8A61E6 `
    -AttackSurfaceReductionRules_Actions 2

# Verify all 19 rules are configured with their action values
# OUTPUT: Parallel arrays - Ids[0] maps to Actions[0], etc.
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids,
    AttackSurfaceReductionRules_Actions

💡 Pro Tip: Action values are: 0 = Disabled, 1 = Block, 2 = Audit, 6 = Warn. Always start with 2 (Audit) and run for at least 2 weeks before moving to block mode.

Step 5 · Generate Test Events to Validate Audit Logging

After deploying rules in audit mode, generate safe test events to confirm that audit logging is working correctly and events are flowing to the Microsoft Defender portal.

Log in to a device in the ASR-Pilot-Devices group
Open Microsoft Word and create a document with a simple VBA macro that spawns a child process
Open PowerShell and run an obfuscated command to trigger the script-based ASR rule in audit mode
Check the Windows Event Viewer under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational
Look for Event IDs 1121 (block) and 1122 (audit) to confirm rules are logging

# ---------------------------------------------------------
# WHAT: Generate test events to validate ASR audit logging
# WHY:  Confirms that audit-mode rules are logging correctly
#       and events flow to both local event logs and the portal.
# ---------------------------------------------------------

# Test ASR: trigger the obfuscated script rule (safe simulation)
# WHY: This creates a benign Base64-encoded PowerShell pattern.
#      The obfuscated script ASR rule (5BEB7EFE) should detect
#      the FromBase64String + Invoke-Expression pattern and log
#      an audit event (Event ID 1122) in the Defender event log.
# NOTE: The decoded string is simply 'Write-Host "ASR Test Successful"'
$testCommand = [System.Text.Encoding]::Unicode.GetString(
    [System.Convert]::FromBase64String("VwByAGkAdABlAC0ASABvAHMAdAAgACIAQQBTAFIAIABUAGUAcwB0ACAA
    UwB1AGMAYwBlAHMAcwBmAHUAbAAiAA==")
)
Invoke-Expression $testCommand

# Query the Defender operational event log for ASR events
# Event ID 1121 = ASR rule BLOCKED an action (only in Block mode)
# Event ID 1122 = ASR rule AUDITED an action (logged but not blocked)
# WHY: During initial deployment, you should only see 1122 events.
#      If you see 1121 events, rules may have been set to Block accidentally.
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" |
    Where-Object { $_.Id -in @(1121, 1122) } |
    Select-Object TimeCreated, Id, Message -First 10

# Event ID 1121 = ASR rule blocked (block mode)
# Event ID 1122 = ASR rule audited (audit mode)

⚠️ Important: Only use safe, benign test commands in your environment. Never execute actual malware samples for testing. Microsoft provides the ASR evaluation guide with approved test scenarios.

Step 6 · Analyze ASR Audit Events with Advanced Hunting

Use advanced hunting in the Microsoft Defender portal to analyze ASR audit events across all pilot devices. These KQL queries help you understand which rules are firing, which processes trigger them, and where false positives may occur.

Query: View All ASR Audit Events

// ---------------------------------------------------------
// WHAT: View all ASR audit events across all devices in 30 days
// WHY:  Gives a complete picture of which ASR rules are firing,
//       on which devices, and what processes triggered them.
// TABLE: DeviceEvents - captures all endpoint security events.
// KEY FIELDS:
//   ActionType: "Asr*" prefix identifies ASR events (e.g., AsrOfficeChildProcess)
//   FileName: The process that was blocked/audited
//   FolderPath: Full path to the blocked file
//   ProcessCommandLine: Full command line of the blocked process
//   InitiatingProcessFileName: The parent process that triggered the rule
//                              (e.g., WINWORD.EXE spawning cmd.exe)
//   AccountName: User context under which the action occurred
// FILTER: "Audit" in AdditionalFields isolates audit-only events
//         (excludes Block events for a clean audit-phase analysis).
// ---------------------------------------------------------
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| where AdditionalFields has "Audit"
| project Timestamp, DeviceName, ActionType,
    FileName, FolderPath, ProcessCommandLine,
    InitiatingProcessFileName, AccountName
| order by Timestamp desc

Query: Find Most Triggered Rules

// ---------------------------------------------------------
// WHAT: Identify which ASR rules fire most frequently
// WHY:  High-frequency rules are either catching real attacks
//       (good) or generating noise from legitimate apps (needs
//       exclusions). Use this to prioritize investigation.
// LOGIC: Counts events per ActionType (each maps to one ASR rule).
// OUTPUT: Bar chart - tallest bars need attention first.
//   e.g., AsrOfficeChildProcessAudited firing 5000x in 30 days
//   likely means macros are commonly spawning child processes.
// ---------------------------------------------------------
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| summarize EventCount = count() by ActionType
| order by EventCount desc
| render barchart

Query: Identify False Positives by Process Path

// ---------------------------------------------------------
// WHAT: Find processes most likely to be false positives
// WHY:  LOB apps that legitimately trigger ASR rules need exclusions.
//       This query surfaces processes appearing on multiple devices
//       (DeviceCount) with high frequency (EventCount > 10),
//       which strongly suggests legitimate application behavior.
// LOGIC:
//   dcount(DeviceId) = number of unique devices triggering this process.
//   High DeviceCount + consistent FolderPath = enterprise LOB app.
//   Low DeviceCount + Temp folder path = likely suspicious.
// ACTION: Share results with application owners to confirm legitimate use,
//         then add verified LOB apps to ASR per-rule exclusions.
// ---------------------------------------------------------
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| summarize EventCount = count(),
    DeviceCount = dcount(DeviceId) by
    ActionType, FileName, FolderPath
| where EventCount > 10
| order by EventCount desc

Navigate to security.microsoft.com > Hunting > Advanced hunting
Run each query above to build an understanding of ASR rule activity in your environment
Export the results to CSV for review with application owners
Flag any line-of-business applications appearing in the results as potential exclusion candidates

💡 Pro Tip: Run audit mode for at least 2-4 weeks to capture a full business cycle. Short audit periods miss infrequent but important workflows like month-end processing or quarterly reporting.

Step 7 · Identify and Configure Exclusions

Based on your audit analysis, configure exclusions for legitimate applications that trigger ASR rules. ASR supports both per-rule exclusions and global exclusions.

Review the false positive analysis from Step 6 and compile a list of legitimate processes that need exclusions
In the Intune portal, navigate to your ASR policy under Endpoint security > Attack surface reduction
Edit the policy and scroll to Attack Surface Reduction Only Per Rule Exclusions
Add file or folder paths that should be excluded from specific rules
For global exclusions, navigate to Endpoint security > Antivirus > Microsoft Defender Antivirus exclusions
Test the exclusions on pilot devices and verify the applications function correctly

# ---------------------------------------------------------
# WHAT: Manage ASR per-rule exclusions via PowerShell
# WHY:  Exclusions allow specific trusted applications to bypass
#       ASR rules. Per-rule exclusions (AttackSurfaceReductionOnly)
#       apply to ALL ASR rules on this device. For rule-specific
#       exclusions, use Intune's per-rule exclusion feature.
# IMPORTANT: Every exclusion is a potential attack vector.
#            Use exact file paths, not broad folder exclusions.
# ---------------------------------------------------------

# Add a per-rule exclusion for a verified LOB application
# WHY: This healthcare app legitimately spawns child processes
#      from Office, triggering the Office child process ASR rule.
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files\HealthcareApp\clinical.exe"

# View all currently configured ASR exclusions
# OUTPUT: List of file/folder paths excluded from all ASR rules.
Get-MpPreference | Select-Object AttackSurfaceReductionOnlyExclusions

# Remove an exclusion that is no longer needed
# WHY: Regularly prune exclusions to minimize attack surface gaps.
Remove-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files\OldApp\legacy.exe"

⚠️ Important: Minimize exclusions to reduce your attack surface. Every exclusion is a potential gap in protection. Use file path exclusions rather than broad folder exclusions, and regularly review exclusions to remove any that are no longer needed.

Step 8 · Transition High-Confidence Rules to Block Mode

After the audit period, transition rules to block mode using a phased approach. Start with rules that showed zero or minimal false positives, then progress to rules requiring exclusions.

Recommended Phased Order

Phase 1 (Immediate): Block credential stealing from LSASS, block executable content from email, and advanced ransomware protection. These rarely cause false positives.
Phase 2 (Week 1): Block Office applications from creating executable content and injecting code. Verify exclusions are working for any LOB macros.
Phase 3 (Week 2): Block obfuscated script execution, JavaScript/VBScript launching executables. Test with development teams first.
Phase 4 (Week 3): Block process creation from PSExec/WMI commands. Coordinate with IT operations teams who may use these tools.

# ---------------------------------------------------------
# WHAT: Transition Phase 1 ASR rules from Audit to Block mode
# WHY:  Phase 1 targets rules with near-zero false positive rates:
#       LSASS credential theft, email executable content, and
#       ransomware protection. These rarely affect legitimate apps.
# ACTION VALUE: 1 = Block (enforced - action is prevented)
#               2 = Audit (logged only, was previous setting)
# NOTE: Use Set-MpPreference (not Add-) to CHANGE an existing rule's mode.
# ROLLBACK: If issues arise, revert to audit: change Actions to 2.
# ---------------------------------------------------------

# Block credential stealing from LSASS (MITRE T1003.001)
# WHY: Mimikatz, ProcDump, and similar tools will be blocked from
#      reading lsass.exe memory. Very few legitimate tools need this access.
Set-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 `
    -AttackSurfaceReductionRules_Actions 1

# Block executable content from email client and webmail (MITRE T1566.001)
# WHY: Users cannot directly execute .exe/.scr/.bat from email attachments.
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 `
    -AttackSurfaceReductionRules_Actions 1

# Use advanced protection against ransomware (MITRE T1486)
# WHY: ML-based blocking of files with ransomware characteristics.
Set-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 `
    -AttackSurfaceReductionRules_Actions 1

# Verify updated rule states - confirm Phase 1 rules show action = 1
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids,
    AttackSurfaceReductionRules_Actions

💡 Pro Tip: Always keep your rollback plan ready. If a rule causes disruption, you can quickly revert it to audit mode by setting the action back to 2. Update via Intune for managed devices or PowerShell for quick fixes.

Step 9 · Configure Warn Mode for User-Facing Rules

Warn mode presents users with a dialog when an ASR rule is triggered, allowing them to unblock the action if needed. This is ideal for rules that occasionally affect legitimate workflows, such as Office macro-related rules.

Identify rules where end users may occasionally need to bypass the block for legitimate work
Office macro rules are prime candidates for warn mode in environments where macros are used by specific departments
In the Intune ASR policy, set the selected rules to Warn mode (action value 6)
When triggered, users see a toast notification with the option to unblock the action for 24 hours
Monitor warn events in advanced hunting to track user bypass frequency

# ---------------------------------------------------------
# WHAT: Set Office macro ASR rules to Warn mode
# WHY:  Warn mode (action value 6) shows a dialog to the user
#       when an ASR rule triggers, letting them unblock the action
#       for 24 hours if it's legitimate. Ideal for environments where
#       some departments use macros but you still want protection.
# MITRE: T1059.005 (VBA macro execution)
# ---------------------------------------------------------

# Set Office child process rule to Warn mode (6 = Warn)
# BEHAVIOR: User sees a toast notification when Word/Excel tries to
#           spawn a child process. They can click "Allow" to bypass
#           the block for 24 hours, or let it be blocked.
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
    -AttackSurfaceReductionRules_Actions 6

# Set Office executable content rule to Warn mode
# BEHAVIOR: User is warned when a macro tries to drop an executable file.
Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 `
    -AttackSurfaceReductionRules_Actions 6

# KQL query to monitor how often users bypass warn prompts
# WHY: High bypass rates on specific devices may indicate users
#      routinely dismissing security prompts - consider blocking
#      or adding targeted exclusions instead.
# DeviceEvents
# | where ActionType startswith "Asr"
# | where AdditionalFields has "Warn"
# | summarize WarnCount = count() by DeviceName, ActionType
# | order by WarnCount desc

⚠️ Important: Warn mode is only supported for specific ASR rules and requires Windows 10 version 1809 or later. Not all rules support warn mode. Check the ASR rules reference for compatibility.

Step 10 · Build an ASR Monitoring Dashboard

Create a custom monitoring dashboard using advanced hunting queries to track ASR rule activity, block events, and trends over time. This provides the security team and leadership with ongoing visibility.

Query: ASR Block Events Summary

// ---------------------------------------------------------
// WHAT: Track ASR block events over time as a daily trend
// WHY:  A sudden spike in blocks may indicate an active attack
//       campaign. A gradual decline shows policy effectiveness.
//       Use as a KPI dashboard for security leadership reporting.
// FILTER: "Block" in AdditionalFields = only enforced blocks.
// OUTPUT: Time chart with one line per ASR rule, daily granularity.
// ---------------------------------------------------------
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| where AdditionalFields has "Block"
| summarize BlockCount = count() by
    bin(Timestamp, 1d), ActionType
| render timechart

Query: Top Blocked Processes

// ---------------------------------------------------------
// WHAT: Top 20 most frequently blocked processes by ASR rules
// WHY:  Identifies which executables are being stopped most often.
//       High-count entries in C:\Program Files = likely false positives.
//       High-count entries in C:\Users\*\Temp = likely true positives.
// AffectedDevices (dcount): High device count = widespread app.
//                          Low device count = targeted/isolated event.
// ACTION: Review top results - add confirmed LOB apps to exclusions;
//         investigate unknown executables as potential threats.
// ---------------------------------------------------------
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| where AdditionalFields has "Block"
| summarize BlockCount = count(),
    AffectedDevices = dcount(DeviceId) by
    FileName, FolderPath, ActionType
| order by BlockCount desc
| take 20

Query: ASR Coverage by Device

// ---------------------------------------------------------
// WHAT: Verify ASR rule coverage - which devices have activity
// WHY:  Devices with zero ASR events may have rules misconfigured,
//       not applied, or the device may be inactive. Cross-reference
//       with device inventory to find coverage gaps.
// LOGIC: dcount(ActionType) = number of distinct rules that fired.
//        LastEvent = when the device last triggered any ASR rule.
// TIME WINDOW: 7 days - short window to catch recent coverage issues.
// ---------------------------------------------------------
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType startswith "Asr"
| summarize RulesTriggered = dcount(ActionType),
    LastEvent = max(Timestamp) by DeviceName
| order by RulesTriggered desc

Save each query as a custom detection or bookmark in the advanced hunting interface
Pin key queries to a custom dashboard in the Defender portal for quick access
Schedule weekly exports to share with security leadership and compliance teams
Set up email notifications for anomalous spikes in ASR block events

Step 11 · Create Alert Rules for ASR Block Events

Create custom detection rules that trigger alerts when critical ASR rules block suspicious activity. This ensures the SOC team is notified when real threats are stopped by ASR rules.

Navigate to Hunting > Custom detection rules in the Defender portal
Click + Create detection rule
Use the KQL query below as the detection query
Set the frequency to Every hour for high-priority rules (credential theft, ransomware)
Configure alert severity as Medium or High based on the rule category
Assign the alert to the appropriate SOC team or response group
Enable automated investigation if your organization uses AIR (Automated Investigation and Response)

// ---------------------------------------------------------
// WHAT: Custom detection rule - ASR blocked credential theft
// WHY:  When the LSASS credential theft ASR rule blocks an attempt,
//       it’s a HIGH-CONFIDENCE indicator of active credential harvesting.
//       This is almost never a false positive in production environments.
// MITRE: T1003.001 (OS Credential Dumping: LSASS Memory)
// DETECTION LOGIC: ActionType == "AsrLsassCredentialTheftBlocked" means
//   a non-system process tried to read LSASS memory and was stopped.
// KEY FIELDS:
//   InitiatingProcessFileName = the parent process (e.g., cmd.exe)
//   ProcessCommandLine = exact command used to access LSASS
//   AccountName = user context (check for compromised accounts)
// TRUE POSITIVE: Mimikatz, ProcDump, pypykatz, or custom tools.
// FALSE POSITIVE: Very rare - some legacy monitoring agents.
// FREQUENCY: Run every 1 hour for near-real-time alerting.
// ---------------------------------------------------------
DeviceEvents
| where Timestamp > ago(1h)
| where ActionType == "AsrLsassCredentialTheftBlocked"
| project Timestamp, DeviceName, FileName,
    FolderPath, ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine, AccountName
| order by Timestamp desc

// ---------------------------------------------------------
// WHAT: Custom detection rule - ASR blocked ransomware behavior
// WHY:  The ransomware ASR rule (C1DB55AB) uses ML to detect files
//       with ransomware characteristics. A block event means a file
//       was classified as likely ransomware and prevented from executing.
// MITRE: T1486 (Data Encrypted for Impact)
// DETECTION LOGIC: ActionType == "AsrRansomwareBlocked" fires when
//   the ML model's confidence score exceeds the threshold.
// TRUE POSITIVE: Actual ransomware payload blocked pre-execution.
// FALSE POSITIVE: Rare - legitimate file encryption tools (7-Zip, etc.)
//   may occasionally trigger. Verify FileName/FolderPath before excluding.
// RESPONSE: Immediately investigate the device, check for lateral movement.
// ---------------------------------------------------------
DeviceEvents
| where Timestamp > ago(1h)
| where ActionType == "AsrRansomwareBlocked"
| project Timestamp, DeviceName, FileName,
    FolderPath, ProcessCommandLine, AccountName
| order by Timestamp desc

💡 Pro Tip: Combine ASR block alerts with entity enrichment. When a credential theft block fires, automatically look up the device risk score, the user's recent sign-in activity, and any related alerts to build a full investigation context.

Step 12 · Validate Full Deployment and Document Policies

With all rules deployed and exclusions configured, perform a final validation across the production fleet and create documentation for your ASR deployment.

Expand the ASR policy assignment from the pilot group to the ASR-Production-Devices group
Monitor the first 48 hours closely for any new false positives from the broader device population
Run the validation query below to confirm all devices have the expected ASR rule configuration
Document each rule, its mode (audit, block, or warn), and any configured exclusions
Create a runbook for handling ASR-related support tickets from end users
Schedule a quarterly review to evaluate ASR rule effectiveness and adjust exclusions

# ---------------------------------------------------------
# WHAT: Validate ASR rule state on the local device and export config
# WHY:  Final validation ensures all rules are in their intended mode
#       (Block, Audit, or Warn) and the config is documented for
#       compliance audits and disaster recovery.
# ---------------------------------------------------------

# Read the current ASR configuration
$rules = Get-MpPreference
$ruleIds = $rules.AttackSurfaceReductionRules_Ids
$ruleActions = $rules.AttackSurfaceReductionRules_Actions

# Map numeric action values to human-readable mode names
# 0 = Disabled (rule is off)
# 1 = Block (enforced, action is prevented)
# 2 = Audit (logged only, action is allowed)
# 6 = Warn (user sees a prompt, can bypass for 24h)
$modeMap = @{ 0 = "Disabled"; 1 = "Block"; 2 = "Audit"; 6 = "Warn" }

# Display each rule GUID and its current enforcement mode
for ($i = 0; $i -lt $ruleIds.Count; $i++) {
    $mode = $modeMap[$ruleActions[$i]]
    Write-Host "Rule: $($ruleIds[$i]). Mode: $mode"
}

# Export the full ASR config to JSON for documentation/audit purposes
# OUTPUT: ASR-Config-Export.json containing rule IDs, actions, and exclusions.
$rules | Select-Object AttackSurfaceReductionRules_Ids,
    AttackSurfaceReductionRules_Actions,
    AttackSurfaceReductionOnlyExclusions |
    ConvertTo-Json | Out-File "C:\Temp\ASR-Config-Export.json"

💡 Pro Tip: Use the ASR rules report in the Defender portal (Reports > Attack surface reduction rules) for a centralized view of rule activity across your entire tenant. This is the fastest way to spot trends and coverage gaps.

Resource	Description
Attack surface reduction rules reference	Complete catalog of ASR rules with GUIDs and descriptions
Overview of attack surface reduction	High-level introduction to ASR concepts and protection capabilities
Enable attack surface reduction rules	Step-by-step instructions for enabling ASR rules via Intune or GPO
Evaluate attack surface reduction rules	Test ASR rules in audit mode before enforcing in production
Plan ASR rules deployment	Design a phased rollout strategy for ASR rule enforcement
Test ASR rules	Validate ASR rule behavior and identify false positives before blocking
ASR rules reporting	Analyze ASR event data and generate compliance reports
Customize ASR rules	Configure per-rule exclusions to prevent workflow disruptions
Microsoft Defender for Endpoint documentation	Comprehensive reference for all MDE features and capabilities