New Attack Surface Reduction rules availible

The introduction of new ASR rules is a clear indication of Microsoft's proactive stance on cybersecurity. By continuously updating and refining their security offerings, Microsoft enables you to stay one step ahead of threats. However, the effectiveness of these measures depends heavily on your thoughtful implementation and management. You must remain vigilant, regularly reviewing and updating your security policies to adapt to the evolving threat landscape.

Microsoft just released two new ASR rules that are in preview. Additionally, there's another policy that's not very old. If it's been a while since you set up your ASR rules, you might want to check out this one too. It's no longer in preview, but it's still fairly new.

Below you will find the policies descriped and how to set it up. You can also find a short description on how to look at your audited rules so you can end up in Block mode.

Block rebooting machine in Safe Mode (preview)

This rule prevents the execution of commands to restart machines in Safe Mode.

Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or simply execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.

Block use of copied or impersonated system tools (preview)

This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.

Some malicious programs may try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and imposters of the system tools on Windows machines.

Block Webshell creation for Servers

This rule blocks web shell script creation on Microsoft Server, Exchange Role.

A web shell script is a specifically crafted script that allows an attacker to control the compromised server. A web shell may include functionalities such as receiving and executing malicious commands, downloading and executing malicious files, stealing and exfiltrating credentials and sensitive information, identifying potential targets etc.

How to get started

Implementing Attack Surface Reduction (ASR) rules directly into a live environment without a preparatory phase could inadvertently disrupt legitimate business processes due to overly stringent controls. Therefore, collecting data over a span of weeks before activation is crucial. This preparatory phase allows you to understand typical system and network behavior, identifying legitimate processes that might be affected by ASR rules. With this baseline established, you can tailor ASR configurations to mitigate potential disruptions, ensuring security measures effectively block malicious activities without impeding operational efficiency. This approach not only enhances the organization's security posture but also ensures a seamless integration of ASR rules into existing workflows, striking the right balance between security and productivity.

I always recommend using Intune to handle ASR and I might have another way then most other Security Consultants. I thing that will be a full blogpost for itself in the future.

But for now you need to do the following to setup new rules in intune:

Now you are done setting up the policy in audit mode. Now we have to wait a few weeks to get data collected.

What could have been blocked

In the Defender XDR portal, Microsoft offer you a complete look at the current attack surface reduction rules configuration and events in your estate. Your devices must be onboarded into the Microsoft Defender for Endpoint service for these reports to be populated. Here's a screenshot from the Microsoft Defender portal (under Reports > Devices > Attack surface reduction). At the device level, select Configuration from the Attack surface reduction rules pane. The following screen is displayed, where you can select a specific device and check its individual attack surface reduction rule configuration.

I must admit that I never uses the reporting site, I always use Advanced Hunting.

Through advanced hunting, it's possible to extract attack surface reduction rules information, create reports, and get in-depth information on the context of a given attack surface reduction rule audit or block event.

Attack surface reduction rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft Defender XDR. For example, a simple query such as the one below can report all the events that have attack surface reduction rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it is the actual codename of the attack surface reduction rule.

With advanced hunting you can shape the queries to your liking, so that you can see what is happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment.

How to go to block mode

When you have done all your testing and found what to exclude and what you possibly will block you need to change all your ASR Setting in the policy to Block mode.

As always the recommondation is to do your rollout in rings so you do it as controlled as possible. I will at a later stage write a full blogpost on how you could do your rings and why.