Attack surface reduction rules demonstrations

This article provides test files, scripts, and procedures to demonstrate attack surface reduction (ASR) rules in Microsoft Defender for Endpoint.

ASR rules target risky software behavior on Windows devices that attackers commonly exploit through malware (for example, launching scripts that download files, running obfuscated scripts, and injecting code into other processes). For more information about ASR rules, see Attack surface reduction (ASR) rules overview.

Prerequisites

Before you begin these demonstrations, make sure your environment meets the following requirements:

• Windows 10 version 1709 (October 2017) or later.
• Windows Server 2012 R2 or later.
  • Windows Server 2012 R2 and Windows Server 2016 require the Functionality in the modern unified solution.
• Azure Local (formerly known as Azure Stack hyper-converged infrastructure (HCI)) OS version 23H2 or later.
• Download and extract the attack surface reduction PowerShell scripts

Use PowerShell to enable and verify attack surface reduction rules

To enable all available ASR rules, run the following command in an elevated PowerShell window (a PowerShell window you opened after selecting Run as administrator):

Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25,33ddedf1-c6e0-47cb-833e-de6133960387,3b576869-a4ec-4529-8536-b80a7769e899,56a863a9-875e-4185-98a7-b882c64b5ce5,5beb7efe-fd9a-4556-801d-275e5ffc04cc,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,a8f5898e-1dc8-49a9-9878-85004b8a61e6,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb,c1db55ab-c21a-4637-bb3f-a12568109d35,d1e49aac-8f56-4280-b9ba-993a6d77406c,d3e037e1-3eb8-44c8-a917-57927947596d,d4f940ab-401b-4efc-aadc-ad5f3c50688a,e6db77e5-3df2-4cf1-b95a-636979351e5b,26190899-1602-49e8-8b27-eb1d0a1ce869,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,AuditMode,AuditMode

For a complete list of ASR rule names and their associated GUID values, see Test files later in this article.

Verify configuration

To verify the state of ASR rules, run the following command in an elevated PowerShell window:

$p = Get-MpPreference

$ids     = @($p.AttackSurfaceReductionRules_Ids)
$actions = @($p.AttackSurfaceReductionRules_Actions)

for ($i = 0; $i -lt [Math]::Min($ids.Count, $actions.Count); $i++) {
    [pscustomobject]@{
        RuleId = $ids[$i]
        Action = $actions[$i]
    }
}

The available rule states are described in the following table:

ASR rule names, GUIDs, and available test files

The following table associates the ASR rule names with the corresponding GUID values.

Run attack surface reduction demonstration scenarios

Use the following scenarios to test how attack surface reduction rules behave in different conditions. Complete the setup steps first, then run any of the individual scenarios.

Set up the demo environment

Perform the following steps to prepare your environment before running the demonstration scenarios:

1. Run the following command in an elevated PowerShell window to set the execution policy to Unrestricted:

   Set-ExecutionPolicy Unrestricted
   

2. Download, extract, and run this ASR demo setup script.

   Or, you can do the following manual steps instead:

   1. Create the folder C:\Demo.
   2. Save the safe test file (testfile_safe.txt) to C:\Demo.
   3. Enable all rules using the Add-MpPreference command to enable all ASR rules earlier in this article.

Scenario 1: Attack surface reduction blocks a test file with multiple vulnerabilities

This scenario verifies that ASR rules block a test file that contains multiple risky behaviors when all rules are enabled in Block mode.

1. Enable all rules in Block mode by running the Add-MpPreference command listed under PowerShell commands earlier in this article.
2. Download and open the test files/documents. If prompted, enable editing and content.

Expected result:

You should immediately see an "Action blocked" notification.

Scenario 2: ASR rule blocks the test file with the corresponding vulnerability

Use this scenario to test a single ASR rule against its matching demo file.

1. Configure the individual rule you want to test. For example, to enable the Block all Office applications from creating child processes rule, run the following command in an elevated PowerShell window:

   Add-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled
   

2. Download and open the test file/document for the rule you want to test. If prompted, enable editing and content. For example:

   Block all Office applications from creating child processes

Expected result:

You should immediately see an "Action blocked" notification.

Scenario 3: ASR rule blocks untrusted files from running from USB drives

1. Enable the Block untrusted and unsigned processes that run from USB ASR rule by running the following command in an elevated PowerShell window:

   Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
   

2. Download the following file to a USB drive (directly or copy it to the USB drive after you download it elsewhere):

   Block Execution of untrusted or unsigned executables inside removable USB media

3. Run the file from the USB drive.

Expected result:

You should immediately see an "Action blocked" notification.

Scenario 4: What would happen without attack surface reduction

1. Turn off all attack surface reduction rules by running the disable command in the Clean-up section later in this article, or by running the following command in an elevated PowerShell window:

   Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25,33ddedf1-c6e0-47cb-833e-de6133960387,3b576869-a4ec-4529-8536-b80a7769e899,56a863a9-875e-4185-98a7-b882c64b5ce5,5beb7efe-fd9a-4556-801d-275e5ffc04cc,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,a8f5898e-1dc8-49a9-9878-85004b8a61e6,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb,c1db55ab-c21a-4637-bb3f-a12568109d35,d1e49aac-8f56-4280-b9ba-993a6d77406c,d3e037e1-3eb8-44c8-a917-57927947596d,d4f940ab-401b-4efc-aadc-ad5f3c50688a,e6db77e5-3df2-4cf1-b95a-636979351e5b,26190899-1602-49e8-8b27-eb1d0a1ce869,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled
   

2. Download any test file/document. If prompted, enable editing and content.

Expected result:

• The files in C:\Demo are encrypted and you should get a warning message.
• Run the test file again to decrypt the files.

Clean up demo files and settings

Download, extract, and run this clean-up script.

Or, you can run the following command in an elevated PowerShell window to disable all ASR rules:

Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25,33ddedf1-c6e0-47cb-833e-de6133960387,3b576869-a4ec-4529-8536-b80a7769e899,56a863a9-875e-4185-98a7-b882c64b5ce5,5beb7efe-fd9a-4556-801d-275e5ffc04cc,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,a8f5898e-1dc8-49a9-9878-85004b8a61e6,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb,c1db55ab-c21a-4637-bb3f-a12568109d35,d1e49aac-8f56-4280-b9ba-993a6d77406c,d3e037e1-3eb8-44c8-a917-57927947596d,d4f940ab-401b-4efc-aadc-ad5f3c50688a,e6db77e5-3df2-4cf1-b95a-636979351e5b,26190899-1602-49e8-8b27-eb1d0a1ce869,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled

Clean up C:\Demo encryption by running the encrypt/decrypt file.

Related content

• Attack surface reduction (ASR) rules overview
• Attack surface reduction (ASR) rules deployment guide
• Microsoft Defender for Endpoint - demonstration scenarios