02-05-2023, 12:17 PM
Attack Surface Reduction
Attack Surface Reduction (ASR), a security feature of Microsoft Windows 10, forms part of Microsoft Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Microsoft Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations.
ASR offers a number of attack surface reduction rules, these include:
Attack Surface Reduction (ASR), a security feature of Microsoft Windows 10, forms part of Microsoft Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Microsoft Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations.
ASR offers a number of attack surface reduction rules, these include:
- Block executable content from email client and webmail
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
- Block all Office applications from creating child processes
D4F940AB-401B-4EFC-AADC-AD5F3C50688A
- Block Office applications from creating executable content
3B576869-A4EC-4529-8536-B80A7769E899
- Block Office applications from injecting code into other processes
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
- Block JavaScript or VBScript from launching downloaded executable content
D3E037E1-3EB8-44C8-A917-57927947596D
- Block execution of potentially obfuscated scripts
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
- Block Win32 API calls from Office macro
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
01443614-CD74-433A-B99E-2ECDC07BFC25
- Use advanced protection against ransomware
C1DB55AB-C21A-4637-BB3F-A12568109D35
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
- Block process creations originating from PSExec and WMI commands
D1E49AAC-8F56-4280-B9BA-993A6D77406C
- Block untrusted and unsigned processes that run from USB
B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4
- Block Office communication application from creating child processes
26190899-1602-49E8-8B27-EB1D0A1CE869
- Block Adobe Reader from creating child processes
7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C
- Block persistence through WMI event subscription
E6DB77E5-3DF2-4CF1-B95A-636979351E5B.