Most of the recent attacks especially Ransomware attacks came from malicious office files, or mail that is sent to the user and when the user clicks it, the malicious payload is downloaded and run on the local computer or connect back to the command and control center (C&C) to download further files and the end result is infecting the computer or get it encrypted (ask for ransom)
Attack Surface Reduction is dealing mainly with the below rules to protect your entry points (Surface):
- Office Rules: Prevent Office apps from creating Executable content, launching child process or injecting into other process.........etc.
- Script Rules: Block malicious scripts, obfuscated macro codes and others.
- Mail Rules: Block running executable content from your mail client and web mail.
For more details please check this link
There are given set of rules in the ASR and each rule has a unique GUID, to enable these rules you simply enable them by the GUID (Check Below image)
So for example if you would like to block executable content from your mail client and web mail, you need to activate the rule with GUID BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 (First rule)
I would highly recommend to implement first ASR on standalone machine and test the rules and their effect on your application and daily work processes. Power shell (Admin elevated) will be used to enable ASR. For example let us enable the first rule (Blocking executable content form mail and web mail)
PowerShell Command
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions AuditMode
This will turn on the first rule of blocking executable content in mail in Audit Mode. You have three options when running this command which are Enabled, Disabled, AuditMode. I would recommend to turn it first in AuditMode so you can check your logs and event viewer for ASR blocking events without interrupting your business.
How to check the ASR events in Event Viewer:
- Download the exploit guard evaluation package and extract the ZIP file
- Open the event Viewer - Import Custom View - Pick the asr-events
- All events can be checked from this custom view, this is very beneficial especially in the AuditMode phase while ASR is under test.
How to Simulate and Demo the Attack Surface Reduction:
In the same Exploit Guard Evaluation Package, you can find a file named Exploit Guard ASR test tool (for 32 bit and 64 bit OS), Running this file will display the ASR rules and their status on your machine (whether blocked, enabled or in AuditMode) and you can run a simulation to ensure its working. For example I will run the simulation for the first rule (Executable content in mail and web mail) which will try running notepad.exe and get it blocked. Its very cool test tool that you need to play around with it.
After you are fully satisfied with the test results you can start rolling it out on all client computers using group policy. The location of the Group policy is as follows:
Computer Configuration - Administrative Templates - Windows Components - Windows Defender Antivirus - Windows Defender Exploit Guard - Attack Surface Reduction
You need to add the Rule ID and value (0, 1 & 2). Its little bit confusing but O=Off (Nothing happen, rule disabled), 2=AuditMode and 1=Block (which means enabling the rule)
So another exciting feature and I would encourage everyone on Windows 10 1709 to give it a try.
