Another cool feature in the Exploit Guard Intrusion prevention tool offered starting Windows 10 1709 is the Attack Surface Reduction (ASR). ASR is key component in the Exploit Guard tool and as I mentioned earlier that Exploit Guard is key component in the Windows 10 defensive stack and its mainly concerned with Pre-breach phase and its main goal is to prevent the attack from occurring.
Most recent attacks, especially ransomware attacks, come from malicious office files or emails that are sent to the user. When the user clicks, the malicious load is downloaded and executed on the local computer or connected to the command and control center (C & C) to download more files and the end result is to infect the computer or encrypt it (ask for a ransom)
Attack Surface Reduction is dealing mainly with the below rules to protect your entry points (Surface):
How to implement ASR on Standalone Machine:
I would highly recommend to implement first ASR on standalone machine and test the rules and their effect on your application and daily work processes. Power shell (Admin elevated) will be used to enable ASR. For example let us enable the first rule (Blocking executable content form mail and web mail)
PowerShell Command
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions AuditMode
This will turn on the first rule of blocking executable content in mail in Audit Mode. You have three options when running this command which are Enabled, Disabled, AuditMode. I would recommend to turn it first in AuditMode so you can check your logs and event viewer for ASR blocking events without interrupting your business.
How to check the ASR events in Event Viewer:
How to Simulate and Demo the Attack Surface Reduction:
In the same Exploit Guard Evaluation Package, you can find a file named Exploit Guard ASR test tool (for 32 bit and 64 bit OS), Running this file will display the ASR rules and their status on your machine (whether blocked, enabled or in AuditMode) and you can run a simulation to ensure its working. For example I will run the simulation for the first rule (Executable content in mail and web mail) which will try running notepad.exe and get it blocked. Its very cool test tool that you need to play around with it.
How to enable ASR for Enterprise/Domain computers:
After you are fully satisfied with the test results you can start rolling it out on all client computers using group policy. The location of the Group policy is as follows:
Computer Configuration - Administrative Templates - Windows Components - Windows Defender Antivirus - Windows Defender Exploit Guard - Attack Surface Reduction
Most recent attacks, especially ransomware attacks, come from malicious office files or emails that are sent to the user. When the user clicks, the malicious load is downloaded and executed on the local computer or connected to the command and control center (C & C) to download more files and the end result is to infect the computer or encrypt it (ask for a ransom)
Attack Surface Reduction is dealing mainly with the below rules to protect your entry points (Surface):
- Office Rules: Prevent Office apps from creating Executable content, launching child process or injecting into other process.......etc.
- Script Rules: Block malicious scripts, obfuscated macro codes and others.
- Mail Rules: Block running executable content from your mail client and web mail.
For more details please check this link
There are given set of rules in the ASR and each rule has a unique GUID, to enable these rules you simply enable them by the GUID (Check Below image)
So for example if you would like to block executable content from your mail client and web mail, you need to activate the rule with GUID BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 (First rule)
I would highly recommend to implement first ASR on standalone machine and test the rules and their effect on your application and daily work processes. Power shell (Admin elevated) will be used to enable ASR. For example let us enable the first rule (Blocking executable content form mail and web mail)
PowerShell Command
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions AuditMode
This will turn on the first rule of blocking executable content in mail in Audit Mode. You have three options when running this command which are Enabled, Disabled, AuditMode. I would recommend to turn it first in AuditMode so you can check your logs and event viewer for ASR blocking events without interrupting your business.
How to check the ASR events in Event Viewer:
- Download the exploit guard evaluation package and extract the ZIP file
- Open the event Viewer - Import Custom View - Pick the asr-events
- All events can be checked from this custom view, this is very beneficial especially in the AuditMode phase while ASR is under test.
How to Simulate and Demo the Attack Surface Reduction:
In the same Exploit Guard Evaluation Package, you can find a file named Exploit Guard ASR test tool (for 32 bit and 64 bit OS), Running this file will display the ASR rules and their status on your machine (whether blocked, enabled or in AuditMode) and you can run a simulation to ensure its working. For example I will run the simulation for the first rule (Executable content in mail and web mail) which will try running notepad.exe and get it blocked. Its very cool test tool that you need to play around with it.
After you are fully satisfied with the test results you can start rolling it out on all client computers using group policy. The location of the Group policy is as follows:
Computer Configuration - Administrative Templates - Windows Components - Windows Defender Antivirus - Windows Defender Exploit Guard - Attack Surface Reduction
You need to add the Rule ID and value (0, 1 & 2). Its little bit confusing but O=Off (Nothing happen, rule disabled), 2=AuditMode and 1=Block (which means enabling the rule)
So another exciting feature and I would encourage everyone on Windows 10 1709 to give it a try.
2 Comments
