ATTACK(ing) Surface Reduction Serie – Introduction

Introduction

Windows Defender Exploit Guard, introduced with the Windows 10 , stands as a formidable defense mechanism against next-gen malwares. Acknowledging the limitations of traditional antivirus technologies, Exploit Guard comprises four key components: Attack Surface Reduction (ASR), Network Protection, Controlled Folder Access, and Exploit Protection. ASR intelligently controls the device's surface area, blocking malicious behaviors in Office, scripts, and emails. Network Protection thwarts outbound connections to malicious websites, while Controlled Folder Access safeguards critical files. Exploit Protection, integrated into Windows 10, replaces the Enhanced Mitigation Experience Toolkit (EMET) for enhanced vulnerability mitigation. Manageable through Group Policy, SCCM, and MDM, Exploit Guard seamlessly integrates with Windows Defender Advanced Threat Protection (ATP), providing real-time notifications and event logs. As a pivotal preventive protection tool, Windows Defender Exploit Guard exemplifies Microsoft's commitment to proactive and robust cybersecurity defenses.

In this blog, we're checking out Attack Surface Reduction (ASR) and figuring out how it can be used to keep us safe from hackers and avoid getting into compromising situations. Let's see if ASR can be the hero we need to protect our digital lives. the blog is a serie which every post we will be focusing on one Rule explain it and trying if we can bypass it .

Geek Speak :

According to Microsoft's documentation, the rules for Attack Surface Reduction focus on specific software actions, including:

  • Launching executable files and scripts that attempt to download or run files
  • Running obfuscated or otherwise suspicious scripts
  • Performing behaviors that apps don't usually initiate during normal day-to-day work

Attack Surface Reduction is Rule based which every Rules is Represented by A GUID , the following image represent the ASR Rules Guid Matrix .

image

Each ASR rule can be set to :

  • Not configured: The rule Disabled,The code for this state is 0.
  • Block: The rule Enabled ,The code for this state is 1.
  • Audit: The rule is evaluated for the effect it would have on the organization or environment.The code for this state is 2.
  • Warn: The rule is enabled and presents a notification to the end-user, but permits the end-user to bypass the block. The code for this state is 6.

Warn Mode as stated by microsoft let's the decision to the end-user to either bypass the block by Clicking Unblock or by clicking OK to enforce the block . from an attacker view this can be helpfull if you have a desktop access .

image

By clicking Unblock the bypass will persist for 24 hours after that you will have to Unblock Again .

we have now an idea what is Attack Surface reduction , let's see how we can configure it in our machines.

WIN+R and type gpedit.msc

graph LR a[Computer Configurations] --> b[Administrative Templates] --> c[windows Components] --> d[microsoft Defender Antivirus] --> e[Microsoft Defender ExploitGuard] --> f[Attack Surface Reduction]
image

Or simply by a powershell command

Set-MpPreference -AttackSurfaceReductionRules_Ids {Rule Guid} -AttackSurfaceReductionRules_Actions {Rule Mode}

as show in the image , we have enabled ASR Rule "Block all Office applications from creating child processes" and "Block process creations originating from PSExec and WMI commands"

we can read the applied ASR configuration using powershell cmdlet

(Get-MpPreference).AttackSurfaceReductionRules_Ids
image

Now let's try to trigger The Rule that prevents process creations originating from PSexec .

image
image

it works and we managed to block psexec from creating processes .

I imagine that you now have a clear understanding of how things work and a comprehensive insight into the workings of Attack Surface Reduction (ASR).