Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

ASR Precedence

Copper Contributor

We have ASR configurations in Intune that MDE is enforcing...sort of.  We have some ASR rules deployed in the Microsoft Defender for Endpoint Baseline (which doesn't contain an exceptions option).  There are additional ASR rules in the Attack Surface Reduction blade of Intune, which does allow for exceptions.  Both of these sections contain some ASR rules that are exactly the same, so the question is which ASR rule set from MDE actually enforce?  The ones in the baseline or the ones in the ASR blade?  Here are the ASR rules from each section for reference so you can understand what I'm talking about (the orange ones denote the same rule in both places):

Microsoft Defender for Endpoint Baseline

  1. Block Office communication apps from creating child processes
  2. Block Adobe Reader from creating child processes
  3. Block Office applications from injecting code into other processes
  4. Block Office applications from creating executable content
  5. Block JavaScript or VBScript from launching downloaded executable content
  6. Enable network protection
  7. Block untrusted and unsigned processes that run from USB
  8. Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  9. Block executable content download from email and webmail clients
  10. Block all Office applications from creating child processes
  11. Block execution of potentially obfuscated scripts (js/vbs/ps)
  12. Block Win32 API calls from Office macro

 

Attack Surface Reduction section

  1. Block Adobe Reader from creating child processes
  2. Block execution of potentially obfuscated scripts
  3. Block Win32 API calls from Office macros
  4. Block credential stealing from the Windows local security authority subsystem
  5. Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  6. Block JavaScript or VBScript from launching downloaded executable content
  7. Block Office communication application from creating child processes
  8. Block all Office applications from creating child processes
  9. Block untrusted and unsigned processes that run from USB
  10. Block persistence through WMI event subscription
  11. Block abuse of exploited vulnerable signed drivers (Device)
  12. Block process creations originating from PSExec and WMI commands
  13. Block Office applications from creating executable content
  14. Block Office applications from injecting code into other processes
  15. Use advanced protection against ransomware
  16. Block executable content from email client and webmail
1 Reply
The baseline is good for implementations where there is minimum requirement for hardening and customizations. Use ASR policies in endpoint security blade for granularity.