Attack Surface Reduction (ASR) rules in Windows Defender provide an effective way to enhance security by controlling potentially harmful actions. This tutorial focuses on using PowerShell to configure ASR rules, specifically to block process creations originating from PSExec and Windows Management Instrumentation (WMI).
Starting with PowerShell
Open an Elevated PowerShell Session: Run PowerShell as an administrator. This is necessary for modifying security settings.
Implementing ASR Rules
Adding an ASR Rule
Block Process Creations from PSExec and WMI:
- Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
This command adds a rule to block processes created by PSExec and WMI commands.
Understanding ASR Rule Actions
Available Actions for ASR Rules:
- Enabled (1): Activates the rule.
- Disabled (0): Deactivates the rule.
- Warn (6): Blocks the execution but displays a warning.
- AuditMode (2): Logs the event without blocking.
View Current ASR Rule Configuration:
- Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
Restarting the Computer or Defender Service
Apply Changes by Restarting the Computer:
Alternatively, you can restart the Defender real-time protection:
- Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableRealtimeMonitoring $false
Testing and Monitoring ASR Rules
Testing the Configuration
Attempt a Blocked Action to Test ASR:
- Invoke-WmiMethod win32_process -name create -argumentlist "ping google.com"
Viewing ASR Rule Events
Monitor ASR Rule Events:
- Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Windows Defender/Operational"; id=1121,1122} | Format-Table -Wrap -AutoSize
This shows logs related to ASR rule triggers, including blocked actions.
Managing ASR Rules
Disabling an ASR Rule
Turn Off a Specific ASR Rule:
- Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Disabled
Removing an ASR Rule
Remove an ASR Rule:
- Remove-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c
Advanced ASR Rule Configuration
Configuring Additional ASR Rules
Add Multiple ASR Rules:
To enhance protection, you can add multiple ASR rules. For instance, to block executable content from email and webmail:
- $ruleIds = @('d4f940ab-401b-4efc-aadc-ad5f3c50688a', 'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550')
- $ruleActions = @('Enabled', 'Enabled')
-
for ($i=0; $i -lt $ruleIds.Length; $i++) {
- Add-MpPreference -AttackSurfaceReductionRules_Ids $ruleIds[$i] -AttackSurfaceReductionRules_Actions $ruleActions[$i]
- }
This iterates through a list of rule IDs and enables each.
Setting Rule Actions
Configure Rules to Warn Mode:
To set a rule to warn the user instead of blocking:
- Add-MpPreference -AttackSurfaceReductionRules_Ids <ruleId> -AttackSurfaceReductionRules_Actions Warn
Replace <ruleId> with the specific rule ID.
Viewing and Understanding ASR Rules
Understanding ASR Rule IDs:
Each ASR rule has a unique identifier. Familiarize yourself with these IDs by referring to Microsoft's official documentation for the most up-to-date information.
List All ASR Rules and Their States:
- Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
This command provides a comprehensive view of all configured ASR rules and their current actions.
Troubleshooting and Testing
Testing Specific ASR Rules
Testing an ASR Rule:
To test a specific rule, intentionally perform an action that the rule should block or warn about, then check the event log:
- Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Windows Defender/Operational"; id=1121,1122}
Common Issues and Resolutions
Troubleshooting ASR Rule Not Functioning:
Ensure real-time protection is enabled:- Set-MpPreference -DisableRealtimeMonitoring $false
Check if the rule ID is correct and the action is set appropriately (Enabled, Warn, etc.).
Verify ASR Rule Application:
After setting a rule, it's crucial to verify its application:
Alternatively, for a less disruptive approach, restart the Windows Defender service:
- Restart-Service WinDefend
Additional Considerations
Impact on System Performance: Some ASR rules might impact system performance. Monitor system resources and user feedback after implementing new rules.
User Awareness: In ‘Warn’ mode, users will receive notifications. Educate them about these warnings to ensure they understand the potential security implications.
Regular Updates: ASR rules and their effectiveness can change. Regularly review and update your ASR configurations.
Conclusion
Expanding your knowledge of ASR rules in PowerShell equips you with the tools needed for a robust defensive strategy against various attack vectors. Regularly revisiting your ASR rule configurations, staying informed about new threats, and educating end-users are key steps in maintaining a secure and resilient IT environment.