cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Demystifying attack surface reduction rules - Part 3
By
Antonio Vasconcelos
Published May 05 2020 10:52 AM 42.9K Views
Antonio Vasconcelos
Microsoft
‎May 05 2020 10:52 AM

Demystifying attack surface reduction rules - Part 3

‎May 05 2020 10:52 AM

Update 23/05/2020

Added new info regarding ASR GUI! A community tool that will help you reporting and setting ASR rules locally! Ideal for lab scenarios!

Kudos to Hermann Maurer!

 

Hello again and welcome to the 3rd part of our blog series on demystifying attack surface reduction (ASR) rules.

 

The 3rd part is focused on how to report and troubleshoot Microsoft Defender ATP ASR Rules, both their configuration and the audit and block events.

 

Remember that you can follow the blog series here to read all the posts on this topic.

 

Continuing with the “How” - now on how to report and troubleshoot ASR rules

 

Keeping a bit of the tradition on the former blog post parts, if you asked us what is the best possible way to report and troubleshoot ASR rules events, our answer would logically be: It depends! :)

 

And that is very much the truth. Because it will depend eventually on the actual solution of choice that you are using to enable and configure ASR rules, your licensing, your role within your organization, etc. The point is, we have multiple ways of accomplishing very similar outcomes, some with more functionalities and/or granularity than others. Part 3 is all about going through each one of those and making sure you are aware of the options.

 

#1 How can I get a report on ASR rules?

 

Microsoft 365 security center  

The Microsoft 365 security center is the new home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. Here you can easily view the security health of your organization, act to configure devices, users, and apps, and get alerts for suspicious activity. The Microsoft 365 security center is specifically intended for security admins and security operations teams to better manage and protect their organization. Visit the Microsoft 365 security center at https://security.microsoft.com.

 

In Microsoft 365 security center, we offer you a complete look at the current ASR rules configuration and events in your estate. Please note that your devices must be onboarded into the Microsoft Defender ATP service for these reports to be populated.

 

Here is a screenshot, directly taken from the Microsoft 365 security center (under Reports > Devices > Attack surface reduction ).

 

 

If you want to drill down to the device level, select Configuration from the Attack surface reduction rules pane. This will take you the following screen, where you can select a specific device and check its individual ASR rule configuration.

ASR_Report_2.png

 

Microsoft Defender ATP – Advanced hunting

One of the most powerful and coolest features of Microsoft Defender ATP is advanced hunting. If you are unfamiliar with advanced hunting, please refer to our documentation - Proactively hunt for threats with advanced hunting.

 

Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that lets you explore up to 30 days of the captured (raw) data, that Microsoft Defender ATP Endpoint Detection and Response (EDR) collects from all your machines. Through advanced hunting you can proactively inspect events in order to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.

 

Through advanced hunting, it is possible to extract ASR rules information, create reports, and get in-depth information on the context of a given ASR rule audit or block event.

 

ASR rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft Defender Security Center. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule.

 

 

 

DeviceEvents 
| where Timestamp > ago(30d)   
| where ActionType startswith “Asr”
| summarize EventCount=count() by ActionType

 

 

 

AH_Query_full.png

 

The above shows that 187 events were registered for AsrLsassCredentialTheft (102 for Blocked and 85 for Audited), 2 events for AsrOfficeChildProcess (1 for Audited and 1 for Block) and 8 events for AsrPsexecWmiChildProcessAudited.

 

Now, let us say that you want to focus on the AsrOfficeChildProcess rule, and get details on the actual files and processes involved. We just need to change the filter for ActionType and replace the summarize line with a projection of the wanted fields (in this case they are DeviceName, FileName, FolderPath, etc.).

 

 

 

DeviceEvents 
| where (ActionType startswith “AsrOfficeChild”)   
| extend RuleId=extractjson(“$Ruleid”, AdditionalFields, typeof(string))
| project DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

 

 

 

ASR_Query_2.png

 

The cool thing about advanced hunting is that you can shape the queries to your liking, so that you can see the exact story of what was happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment.

 

Microsoft Defender ATP machine timeline

An alternative to advanced hunting, but with a narrower scope, is the Microsoft Defender ATP machine timeline. You can view all the collected events of a device, for the past 6 months, in the Microsoft Defender Security Center, by going to the Machines list, select a given machine, and then click on the Timeline tab.

 

Pictured below is a screenshot of the Timeline view of these events on a given endpoint.  From this view, you can filter the events list based on any of the Event Groups along the right-side pane. You can also enable or disable Flagged and Verbose events while viewing alerts and scrolling through the historical timeline.

 

MachineTimeline.png

 

 

#2 How to troubleshoot ASR rules?

 

The first and most immediate way is to check locally, on a Windows device, which ASR rules are enabled (and their configuration) is by using the PowerShell cmdlets.

Nevertheless, we will show you other sources of information that Windows offers, to troubleshoot ASR rules’ impact and operation.

 

#2.1 Querying which rules are active

One of the easiest ways to determine if ASR rules are already enabled—and, if so, which ones—is through a PowerShell cmdlet, Get-MpPreference.

 

Here is an example:

posh_1.png

As you can see, there are multiple ASR rules active, with different configured actions.

 

To expand the above information on ASR rules, you can use the properties AttackSurfaceReductionRules_Ids and/or AttackSurfaceReductionRules_Actions.

 

Example:

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids

posh_2.png

The above shows all the IDs for ASR rules that have a setting different from 0 (Not Configured).

 

The next step is then to list the actual actions (Block or Audit) that each rule is configured with.

 

Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

posh_3.png

As you can see from the above output, mapping rules to actions via PowerShell can be a bit of a pain. You can do it manually, by copying and pasting both above results into an Excel file, but that’s not the easiest way of achieving our end goal (knowing which rules are enabled and their specific actions).

 

Don’t forget to always map the above results with the available list of rules!

 

To simplify your ASR rules troubleshooting in PowerShell, we have made a quick and dirty sample script that helps you map rules and actions in an easy way. Just pull the script from this GitHub repo.

 

Here is a small example of what the above script might output.

posh_4.png

 

Update 23/05/2020

Based on the above code, a MS colleague (Hermann Maurer), created a nice GUI both for reporting and setting ASR rules!

 

Here's how it looks:

ASR_Rules_Posh_GUI.jpg

Very slick! Files are available in his Github repo.  

 

All-in-all, although PowerShell is an important auditing/reporting mechanism to have, there are alternative ways, more streamlined ones, of checking your machine’s and estate’s current ASR rule configurations, such as the ones showed at the beginning of the blog in part 2 of this blog series, in the “How can I get a report on ASR rules?” section.

 

#2.2 Querying blocking and auditing events

 

Windows Event Viewer

ASR rule events can be viewed within the Windows Defender log.

To access it, open Windows Event Viewer, and browse to Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational.

eventviewer1.png

 

Microsoft Defender Malware Protection Logs

You can also view rule events through the Microsoft Defender Antivirus dedicated command-line tool, called mpcmdrun.exe, that can be used to manage and configure, as well as automate tasks if needed.

 

You can find this utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. You must run it from an elevated command prompt (i.e. run as Admin).

 

To generate the support information, type MpCmdRun.exe -getfiles. After a while, several logs will be packaged into an archive (MpSupportFiles.cab) and made available in C:\ProgramData\Microsoft\Windows Defender\Support.

mpcmdrun.png

 

Extract that archive and you will have many files available for troubleshooting purposes.

The most relevant files are:

  • MPOperationalEvents.txt - This file contains same level of information found in Event Viewer for Windows Defender’s Operational log.
  • MPRegistry.txt – In this file you will be able to analyze all the current Windows Defender configurations, from the moment the support logs were captured.
  • MPLog-***.txt – This log contains more verbose information about all the actions/operations of the Windows Defender.

Looking into MPOperationalEvents.txt, we find the same sort of information we found before when we blocked Word from launching a child process.

 

mpregistry.png

 

Within another file, called MPRegistry.txt, you will find a section called “Windows Defender Exploit Guard\ASR”, where you can doublecheck what rules are active and see their configurations.

mpregistry2.png

 

In the above screenshot we can see rule “Block all Office applications from creating child processes” (D4F940AB-401B-4EFC-AADC-AD5F3C50688A) is enabled with a value of 2, which means Audit.

 

We hope you have found part 3 of our blog series about demystifying ASR rules helpful! Please let us know if you have any questions in the comments section.

 

As always, you can find all the blogs in the series here.

 

Our 4th and final post will be coming out shortly, stay tuned!

 

António and Rob

Program Managers @Pernille-Eskebo Defender ATP Product Group

18 Comments
Ggaspar
Copper Contributor
‎May 05 2020 01:37 PM
‎May 05 2020 01:37 PM

Great work Antonio! Technical but easy to understand!

Keep up the great work mate!

 

Antonio Vasconcelos
Microsoft
‎May 05 2020 01:44 PM
‎May 05 2020 01:44 PM

@Ggaspar Thanks! Yeah, it's always a challenge to balance deep technical info, while being of value for every person, their level of knowledge and experience with the actual topic.

Let me know what else you would like to see in this, or future, blog posts!

0 Likes
Like
PHancke
Brass Contributor
‎May 06 2020 12:32 AM
‎May 06 2020 12:32 AM

Hi Antonio,

If I go to the M365 Security Center I get 0 Devices on the configuration tab (compared to your 1st screenshot). I do however see exclusions and detections. I can also hunt in Defender ATP so there seems to be underlying data. Am I missing a configuration to see data on the Configuration tab? (My devices are MDATP and Intune enrolled).

Regards

Pieter

0 Likes
Like
Dean Gross
Silver Contributor
‎May 10 2020 10:45 AM
‎May 10 2020 10:45 AM

why is there securitycenter.microsoft.com and security.microsoft.com? are there any plans to consolidate these?

0 Likes
Like
Antonio Vasconcelos
Microsoft
‎May 11 2020 03:12 AM
‎May 11 2020 03:12 AM

@Dean Gross securitycenter.microsoft.com is the portal for Microsoft Defender ATP, while security.microsoft is the portal for Microsoft Threat Protection.

MTP will be the defacto product that will encompass all of the existing M365 Security Workloads (MDATP, AATP, OATP and MCAS).

 

So yes, MDATP portal will be migrated to MTP soon.

 

More info here:

 

Dive deep into Microsoft Threat Protection: See how we defend against threats like | SECO20

https://www.youtube.com/watch?v=NogNroy0FSM

 

Announcing Microsoft Threat Protection

https://techcommunity.microsoft.com/t5/security-privacy-and-compliance/announcing-microsoft-threat-p...

 

Microsoft Threat Protection

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-threat-protection?view=o365-wo...

 

Turn on Microsoft Threat Protection

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-enable?view=o365-worldwide

Antonio Vasconcelos
Microsoft
‎May 11 2020 03:14 AM
‎May 11 2020 03:14 AM

@PHancke Known bug. It should be fixed soon.

0 Likes
Like
Andrew Allston
Iron Contributor
‎Jun 12 2020 08:04 AM
‎Jun 12 2020 08:04 AM

This is great, but I just dont understand why ASR detects files that ATP itself is loading. I have the following messages in my timeline:

 

Microsoft.AppV.AppvClientComConsumer.ni.dll was blocked by ASR using rule "loading non-Microsoft signed binary"
Microsoft.PowerShell.Commands.Management.ni.dll was blocked by ASR using rule "loading non-Microsoft signed binary"
System.Management.Automation.ni.dll was blocked by ASR using rule "loading non-Microsoft signed binary"

 

Which all are loaded by ..\Windows Defender Advanced Threat Protection\SenseIR.exe 

 

I'm not sure if this is Insider Build Related but I am perplexed either way why a security product is using unsigned DLLs . I guess i need to exclude SenseIR.exe from the ASR rules? Or am I missing something? Thanks in advance to anyone with some insight.

Deleted
Not applicable
‎Dec 08 2020 12:18 PM
‎Dec 08 2020 12:18 PM

@Andrew Allston https://support.microsoft.com/en-us/topic/mitigation-of-a-large-number-of-block-events-that-collect-...

0 Likes
Like
mahajanajay92
Copper Contributor
‎Apr 21 2021 05:59 AM
‎Apr 21 2021 05:59 AM

nicely summed up by @Antonio Vasconcelos , thank you so much for putting this across.

Lev_p
Copper Contributor
‎May 10 2021 12:14 AM
‎May 10 2021 12:14 AM

sensibly explained!

0 Likes
Like
Carol Chisholm
Iron Contributor
‎Aug 14 2021 02:03 AM
‎Aug 14 2021 02:03 AM

Thanks for this. I find it incredibly hard to know where to find things. There are so many products with ever changing names that do the same task. 

I have this application called Antidote written by Druide, and the Outlook addin is getting blocked. UI would like an exclusion. 

CarolChisholm_0-1628931430271.png

 

Where should I create a policy to exclude this executable?

I have nothing on-prem so it is somewhere in M365 / Intune or Endpoint protection. 

 

I know wherer to fin  Add Row - Microsoft Endpoint Manager admin center , sort of, but how do I find the OMA-URI for this ? And what is the data type?

But I also have policies in Devices - Microsoft Endpoint Manager admin center which have ASR but no exclusions. 

 

All I want to do es exempt one executable for a group of users or computers... 

 

 

 

 

 

0 Likes
Like
Antonio Vasconcelos
Microsoft
‎Aug 23 2021 07:37 AM
‎Aug 23 2021 07:37 AM

@Carol Chisholm See Intune section in this doc: Enable attack surface reduction rules | Microsoft Docs.

0 Likes
Like
Carol Chisholm
Iron Contributor
‎Aug 23 2021 08:23 AM
‎Aug 23 2021 08:23 AM

Thanks I found that. The problem is that as a a non-specialist this is rather daunging: 

 

Click Add again. The Add Row OMA-URI Settings opens. In Add Row, do the following:

  • In Name, type a name for the rule.
  • In Description, type a brief description.
  • IOMA-URI, type or paste the specific OMA-URI link for the rule that you are adding.
  • In Data type, select String.
  • In Value, type or paste the GUID value, the = sign and the State value with no spaces (GUID=StateValue). Where: {0 : Disable (Disable the ASR rule)}, {1 : Block (Enable the ASR rule)}, {2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)}, {6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)}
 

However I did find this Customize attack surface reduction rules | Microsoft Docs which could help and also this Add an exclusion to Windows Security (microsoft.com) 

 

0 Likes
Like
Antonio Vasconcelos
Microsoft
‎Aug 23 2021 08:27 AM
‎Aug 23 2021 08:27 AM

@Carol Chisholm OMA-URI is the foundation used to configure the MDM CSPs at Windows 10 level, but those are not mandatory when the UX is available in Intune.

 

AntonioVasconcelos_0-1629732458359.png

 

Carol Chisholm
Iron Contributor
‎Aug 23 2021 08:39 AM
‎Aug 23 2021 08:39 AM

Thanks I will look further.. 

0 Likes
Like
ERNESTO VALDEZ
Copper Contributor
‎Sep 28 2021 11:35 AM
‎Sep 28 2021 11:35 AM

Thank you very much for these articles, they will be very helpful.
Will there be any query so that from the advance hunting, you can check how a workstation is configured with the ASR rules? basically the information of the Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids but from the same MDSC console?

0 Likes
Like
Amy Babinchak
Copper Contributor
‎Jun 13 2022 01:40 PM
‎Jun 13 2022 01:40 PM

Antonio, It is being reported on Reddit/MSP that if you enable the block vulnerable drivers ASR rule that it disables all others. I'm using Endpoint Manager to deploy ASR rules. They are all applying in block mode, except for the block vulnerable drivers rule. If there some incompatability between this rule and the others? Is there some work around? some are suggesting to deploy it locally. 

0 Likes
Like
Nicole053
Copper Contributor
‎Jul 11 2023 12:54 AM
‎Jul 11 2023 12:54 AM

Do we need to enable cloud block level as high to receive the toast notifications on the enduser device level for asr warn mode .Is this any prerequisiste ? Looking for assistance pls since im not receiving the notifications which allow me to bypass/accept  despite configuring warn mode

0 Likes
Like
Version history
Last update:
‎May 23 2020 10:30 AM
Updated by: