Windows Defender Attack Surface Reduction Rules (ASR)

[jcspencer]

Defender lets you set Attack Surface Reduction rules both via GPO or via Set-MpPreference. A list of the rules can be found here.

Current rules:

• Block executable content from email client and webmail
• Block all Office applications from creating child processes
• Block Office applications from creating executable content
• Block Office applications from injecting code into other processes
• Block JavaScript or VBScript from launching downloaded executable content
• Block execution of potentially obfuscated scripts
• Block Win32 API calls from Office macros
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Use advanced protection against ransomware
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)
• Block process creations originating from PSExec and WMI commands
• Block untrusted and unsigned processes that run from USB
• Block Office communication application from creating child processes
• Block Adobe Reader from creating child processes
• Block persistence through WMI event subscription

Is this something that would be worth me making a PR for?

The main issue is that there are currently 15 possible rules, each with three states (disabled, audit, enabled). Would this be something where there should be three options available as separate commands?

[E3V3A]

@jcspencer

Is this something that would be worth me making a PR for?

Absolutely, but before you do that, we need to address the issue of "out-of-box" experience for first time Windows users.

So perhaps we need to think about this:

1. How can we get the out-of-box Vanilla settings for all those?
   (I.e. a log of what is currently used, before running and changin anything.)
2. Which of the are the most important to have, but which will not block you from using Office tools in a standard way?
3. Maybe have 3 "blocks" of different presets, eahc representing (user knowledge).
   For example: [basic, audit, hardened]?

For example, basic would block obvious stuff like:

• Block executable content from email client and webmail
• Block all Office applications from creating child processes
• etc

But not:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block untrusted and unsigned processes that run from USB|