New ASR Rules available

There 2 new ASR (Attack Surface Reduction Rules) available.

Attack Surface Reduction Rules is a Defender feature which, as it sounds, reduces attack surface on endpoints. This is done by blocking certain attack surfaces like “Block all Office applications from creating child processes”, “Block untrusted and unsigned processes that run from USB” and more, there are 19 rules available today. Two of which are in preview.

The great thing about ASR is that it closes some attack paths, instead of relying on Antivirus or EDR to detect on the malicious code or behavior since these changes all the time.

The new rules:

Block rebooting machine in Safe Mode (preview)

GUID: 33ddedf1-c6e0-47cb-833e-de6133960387

This rule prevents the execution of commands to restart machines in Safe Mode.

Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or simply execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.

Block use of copied or impersonated system tools (preview)

GUID: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb

his rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.

Some malicious programs may try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and imposters of the system tools on Windows machines.

Please note that since these 2 new rules are in preview, additional upgrades to improve efficacy are under development

Happy Hunting!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.