Attack surface reduction rules

This article provides information about attack reduction rules:

Supported operating systems

The following table lists attack surface reduction rules in alphabetical order. A check mark indicates the rule is supported by the operating system listed in that column.

Note

  • Unless otherwise indicated, the minimum Windows 10 build is version 1709 (RS3, build 16299) or later; the minimum Windows Server build is version is 1809 or later.

  • * All rules support file and folder exclusions, unless stated otherwise.

Rule name Windows 10 Windows Server 2019 Windows Server Windows Server 2016 Windows Server 2012 R2
Block abuse of exploited vulnerable signed drivers Y Y Y version 1803 (Semi-Annual Channel) or later
Block Adobe Reader from creating child processes Y version 1809 or later Y Y

Block all Office applications from creating child processes Y Y Y

Block credential stealing from the Windows local security authority subsystem (lsass.exe) Y version 1803 or later Y

Y

Block executable content from email client and webmail Y Y

Y

Block executable files from running unless they meet a prevalence, age, or trusted list criterion Y version 1803 or later Y

Y

Block execution of potentially obfuscated scripts Y Y

Y

Block JavaScript or VBScript from launching downloaded executable content Y Y

Y

Block Office applications from creating executable content Y Y

Y

Block Office applications from injecting code into other processes Y Y

Y

Block Office communication application from creating child processes Y Y

Y

Block persistence through WMI event subscription

* File and folder exclusions not supported.
Y version 1903 (build 18362) or later Y Y

version 1903 (build 18362) or later
Block process creations originating from PSExec and WMI commands Y version 1803 or later Y

Y

Block untrusted and unsigned processes that run from USB Y Y

Y

Block Win32 API calls from Office macros Y Y

Y

Use advanced protection against ransomware Y version 1803 or later Y

Y

Rule name Windows 10 Windows Server 2019 Windows Server Windows Server 2016 Windows Server 2012 R2

Supported configuration management systems

Links to information about configuration management system versions referenced in this table are listed below this table.

Rule name Intune Microsoft Endpoint Manager Microsoft Endpoint Configuration Manager Group Policy[1] PowerShell[1]
Block abuse of exploited vulnerable signed drivers supported.

supported

MEM OMA-URI
supported.

supported

Block Adobe Reader from creating child processes supported. supported supported.

supported.

Block all Office applications from creating child processes supported. supported

CB 1710
supported.

supported.

Block credential stealing from the Windows local security authority subsystem (lsass.exe) supported. supported

CB 1802
supported.

supported.

Block executable content from email client and webmail supported. supported

CB 1710
supported supported.

Block executable files from running unless they meet a prevalence, age, or trusted list criterion supported. supported

CB 1802
supported.

supported.

Block execution of potentially obfuscated scripts supported. supported

CB 1710
supported.

supported.

Block JavaScript or VBScript from launching downloaded executable content supported. supported

CB 1710
supported.

supported.

Block Office applications from creating executable content supported.

supported

CB 1710

supported.

supported.

Block Office applications from injecting code into other processes supported. supported

CB 1710
supported.

supported.

Block Office communication application from creating child processes supported. supported

CB 1710
supported.

supported.

Block persistence through WMI event subscription supported.

supported.

Block process creations originating from PSExec and WMI commands supported supported.

supported.

Block untrusted and unsigned processes that run from USB supported. supported

CB 1802

supported.

supported.

Block Win32 API calls from Office macros supported. supported

CB 1710

supported.

supported.

Use advanced protection against ransomware supported. supported

CB 1802
supported.

supported.

(1) You can configure attack surface reduction rules on a per-rule basis by using any rule's GUID.

Per rule descriptions

Block abuse of exploited vulnerable signed drivers

This rule prevents an application from writing a vulnerable signed driver to disk. In-the-wild, vulnerable signed drivers can be exploited by local applications - that have sufficient privileges - to gain access to the kernel. Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise.

The Block abuse of exploited vulnerable signed drivers rule does not block a driver already existing on the system from being loaded.

Note

You can configure this rule using MEM OMA-URI. See MEM OMA-URI for configuring custom rules.

You can also configure this rule using PowerShell.

To have a driver examined, use this Web site to Submit a driver for analysis.

Intune Name: Block abuse of exploited vulnerable signed drivers

GUID: 56a863a9-875e-4185-98a7-b882c64b5ce5

Block Adobe Reader from creating child processes

This rule prevents attacks by blocking Adobe Reader from creating processes.

Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.

Intune name: Process creation from Adobe Reader (beta)

Configuration Manager name: Not yet available

GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Advanced hunting action type:

  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked

Block all Office applications from creating child processes

This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.

Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes; such as spawning a command prompt or using PowerShell to configure registry settings.

Intune name: Office apps launching child processes

Configuration Manager name: Block Office application from creating child processes

GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a

Advanced hunting action type:

  • AsrOfficeChildProcessAudited
  • AsrOfficeChildProcessBlocked

Block credential stealing from the Windows local security authority subsystem

This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).

LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.

Note

In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is no need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.

Intune name: Flag credential stealing from the Windows local security authority subsystem

Configuration Manager name: Block credential stealing from the Windows local security authority subsystem

GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

Advanced hunting action type:

  • AsrLsassCredentialTheftAudited
  • AsrLsassCredentialTheftBlocked

Block executable content from email client and webmail

This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:

  • Executable files (such as .exe, .dll, or .scr)
  • Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)

Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)

Microsoft Endpoint Manager name: Block executable content from email client and webmail

GUID: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550

Advanced hunting action type:

  • AsrExecutableEmailContentAudited
  • AsrExecutableEmailContentBlocked

Note

The rule Block executable content from email client and webmail has the following alternative descriptions, depending on which application you use:

  • Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions).
  • Endpoint Manager: Block executable content download from email and webmail clients.
  • Group Policy: Block executable content from email client and webmail.

Block executable files from running unless they meet a prevalence, age, or trusted list criterion

This rule blocks executable files, such as .exe, .dll, or .scr, from launching unless any of the following conditions are met:

  • Prevalence: The executable files are found on more than 1,000 endpoints
  • Age: The executable files were released more than 24 hours ago
  • Location: The executable files are included in a trusted list or an exclusion list

Launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.

Important

You must enable cloud-delivered protection to use this rule.

The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.

You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.

Intune name: Executables that don't meet a prevalence, age, or trusted list criteria

Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria

GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25

Advanced hunting action type:

  • AsrUntrustedExecutableAudited
  • AsrUntrustedExecutableBlocked

Block execution of potentially obfuscated scripts

This rule detects suspicious properties within an obfuscated script.

Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.

Intune name: Obfuscated js/vbs/ps/macro code

Configuration Manager name: Block execution of potentially obfuscated scripts

GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc

Advanced hunting action type:

  • AsrObfuscatedScriptAudited
  • AsrObfuscatedScriptBlocked

Block JavaScript or VBScript from launching downloaded executable content

This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.

Although not common, line-of-business applications sometimes use scripts to download and launch installers.

Intune name: js/vbs executing payload downloaded from Internet (no exceptions)

Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content

GUID: d3e037e1-3eb8-44c8-a917-57927947596d

Advanced hunting action type:

  • AsrScriptExecutableDownloadAudited
  • AsrScriptExecutableDownloadBlocked

Block Office applications from creating executable content

This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.

Malware that abuses Office as a vector might attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.

Intune name: Office apps/macros creating executable content

SCCM name: Block Office applications from creating executable content

GUID: 3b576869-a4ec-4529-8536-b80a7769e899

Advanced hunting action type:

  • AsrExecutableOfficeContentAudited
  • AsrExecutableOfficeContentBlocked

Block Office applications from injecting code into other processes

This rule blocks code injection attempts from Office apps into other processes.

Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.

There are no known legitimate business purposes for using code injection.

This rule applies to Word, Excel, and PowerPoint.

Intune name: Office apps injecting code into other processes (no exceptions)

Configuration Manager name: Block Office applications from injecting code into other processes

GUID: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84

Advanced hunting action type:

  • AsrOfficeProcessInjectionAudited
  • AsrOfficeProcessInjectionBlocked

Block Office communication application from creating child processes

This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.

This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against Outlook rules and forms exploits that attackers can use when a user's credentials are compromised.

Note

This rule blocks DLP policy tips and ToolTips in Outlook. This rule applies to Outlook and Outlook.com only.

Intune name: Process creation from Office communication products (beta)

Configuration Manager name: Not available

GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869

Advanced hunting action type:

  • AsrOfficeCommAppChildProcessAudited
  • AsrOfficeCommAppChildProcessBlocked

Block persistence through WMI event subscription

This rule prevents malware from abusing WMI to attain persistence on a device.

Important

File and folder exclusions don't apply to this attack surface reduction rule.

Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.

Intune name: Not available

Configuration Manager name: Not available

GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b

Advanced hunting action type:

  • AsrPersistenceThroughWmiAudited
  • AsrPersistenceThroughWmiBlocked

Block process creations originating from PSExec and WMI commands

This rule blocks processes created through PsExec and WMI from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.

Warning

Only use this rule if you're managing your devices with Intune or another MDM solution. This rule is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.

Intune name: Process creation from PSExec and WMI commands

Configuration Manager name: Not applicable

GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c

Advanced hunting action type:

  • AsrPsexecWmiChildProcessAudited
  • AsrPsexecWmiChildProcessBlocked

Block untrusted and unsigned processes that run from USB

With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)

Intune name: Untrusted and unsigned processes that run from USB

Configuration Manager name: Block untrusted and unsigned processes that run from USB

GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

Advanced hunting action type:

  • AsrUntrustedUsbProcessAudited
  • AsrUntrustedUsbProcessBlocked

Block Win32 API calls from Office macros

This rule prevents VBA macros from calling Win32 APIs.

Office VBA enables Win32 API calls. Malware can abuse this capability, such as calling Win32 APIs to launch malicious shellcode without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.

Supported operating systems:

Intune name: Win32 imports from Office macro code

Configuration Manager name: Block Win32 API calls from Office macros

GUID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

Advanced hunting action type:

  • AsrOfficeMacroWin32ApiCallsAudited
  • AsrOfficeMacroWin32ApiCallsBlocked

Use advanced protection against ransomware

This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule does not block files that have one or more of the following characteristics:

  • The file has already been found to be unharmful in the Microsoft cloud.
  • The file is a valid signed file.
  • The file is prevalent enough to not be considered as ransomware.

The rule tends to err on the side of caution to prevent ransomware.

Note

You must enable cloud-delivered protection to use this rule.

Intune name: Advanced ransomware protection

Configuration Manager name: Use advanced protection against ransomware

GUID: c1db55ab-c21a-4637-bb3f-a12568109d35

Advanced hunting action type:

  • AsrRansomwareAudited
  • AsrRansomwareBlocked