Migrating from a non-Microsoft HIPS to attack surface reduction rules

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2

This article helps you to map common rules to Microsoft Defender for Endpoint.

Scenarios when migrating from a non-Microsoft HIPS product to attack surface reduction rules

Block creation of specific files

• Applies to- All processes
• Operation- File Creation
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- *.zepto, *.odin, *.locky, *.jaff, *.lukitus, *.wnry, *.krab
• Attack Surface Reduction rules- attack surface reduction rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension isn't always useful, as it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.
• Other recommended features- Having Microsoft Defender Antivirus enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend that you use other prevention, such as the attack surface reduction rule Use advanced protection against ransomware, which provides a greater level of protection against ransomware attacks. Furthermore, Microsoft Defender for Endpoint monitors many of these registry keys, such as ASEP techniques, which trigger specific alerts. The registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. It's recommended to use a locked down environment with minimum administrative accounts or rights. Other system configurations can be enabled, including Disable SeDebug for nonrequired roles that's part of our wider security recommendations.

Block creation of specific registry keys

• Applies to- All Processes
• Processes- N/A
• Operation- Registry Modifications
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- \Software,HKCU\Environment\UserInitMprLogonScript,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs*\StartExe, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*\Debugger, HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author\location, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit*\MonitorProcess
• Attack Surface Reduction rules- attack surface reduction rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension isn't always useful, because it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.
• Other recommended features- Having Microsoft Defender Antivirus enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend you use extra prevention, such as the attack surface reduction rule Use advanced protection against ransomware. This provides a greater level of protection against ransomware attacks. Furthermore, Microsoft Defender for Endpoint monitors several of these registry keys, such as ASEP techniques, which trigger specific alerts. Additionally, the registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. It's recommended to use a locked down environment with minimum administrative accounts or rights. Other system configurations can be enabled, including Disable SeDebug for nonrequired roles that's part of our wider security recommendations.

Block untrusted programs from running from removable drives

• Applies to- Untrusted Programs from USB
• Processes- *
• Operation- Process Execution
• *Examples of Files/Folders, Registry Keys/Values, Processes, Services:-
• Attack Surface Reduction rules- attack surface reduction rules have a built-in rule to prevent the launch of untrusted and unsigned programs from removable drives: Block untrusted and unsigned processes that run from USB, GUID b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4.
• Other recommended features- Please explore more controls for USB devices and other removable media using Microsoft Defender for Endpoint:How to control USB devices and other removable media using Microsoft Defender for Endpoint.

Block Mshta from launching certain child processes

• Applies to- Mshta
• Processes- mshta.exe
• Operation- Process Execution
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- powershell.exe, cmd.exe, regsvr32.exe
• Attack Surface Reduction rules- attack surface reduction rules don't contain any specific rule to prevent child processes from mshta.exe. This control is within the remit of Exploit Protection or Windows Defender Application Control.
• Other recommended features- Enable Windows Defender Application Control to prevent mshta.exe from being executed altogether. If your organization requires mshta.exe for line of business apps, configure a specific Windows Defender Exploit Protection rule, to prevent mshta.exe from launching child processes.

Block Outlook from launching child processes

• Applies to- Outlook
• Processes- outlook.exe
• Operation- Process Execution
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- powershell.exe
• Attack Surface Reduction rules- attack surface reduction rules have a built-in rule to prevent Office communication apps (Outlook, Skype, and Teams) from launching child processes: Block Office communication application from creating child processes, GUID 26190899-1602-49e8-8b27-eb1d0a1ce869.
• Other recommended features- We recommend enabling PowerShell constrained language mode to minimize the attack surface from PowerShell.

Block Office Apps from launching child processes

• Applies to- Office
• Processes- winword.exe, powerpnt.exe, excel.exe
• Operation- Process Execution
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- powershell.exe, cmd.exe, wscript.exe, mshta.exe, EQNEDT32.EXE, regsrv32.exe
• Attack Surface Reduction rules- attack surface reduction rules have a built-in rule to prevent Office apps from launching child processes: Block all Office applications from creating child processes, GUID d4f940ab-401b-4efc-aadc-ad5f3c50688a.
• Other recommended features- N/A

Block Office Apps from creating executable content

• Applies to- Office
• Processes- winword.exe, powerpnt.exe, excel.exe
• Operation- File Creation
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- C:\Users*\AppData**.exe, C:\ProgramData**.exe, C:\ProgramData**.com, C:\UsersAppData\Local\Temp**.com, C:\Users\Downloads**.exe, C:\Users*\AppData**.scf, C:\ProgramData**.scf, C:\Users\Public*.exe, C:\Users*\Desktop***.exe
• Attack Surface Reduction rules- N/A.

Block Wscript from reading certain types of files

• Applies to- Wscript
• Processes- wscript.exe
• Operation- File Read
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- C:\Users*\AppData**.js, C:\Users*\Downloads**.js
• Attack Surface Reduction rules- Due to reliability and performance issues, attack surface reduction rules don't have the capability to prevent a specific process from reading a certain script file type. We do have a rule to prevent attack vectors that might originate from these scenarios. The rule name is Block JavaScript or VBScript from launching downloaded executable content (GUID d3e037e1-3eb8-44c8-a917-57927947596d) and the Block execution of potentially obfuscated scripts (GUID * 5beb7efe-fd9a-4556-801d-275e5ffc04cc*).
• Other recommended features- Though there are specific attack surface reduction rules that mitigate certain attack vectors within these scenarios, it's important to mention that AV is able by default to inspect scripts (PowerShell, Windows Script Host, JavaScript, VBScript, and more) in real time, through the Antimalware Scan Interface (AMSI). More info is available here: Antimalware Scan Interface (AMSI).

Block launch of child processes

• Applies to- Adobe Acrobat
• Processes- AcroRd32.exe, Acrobat.exe
• Operation- Process Execution
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- cmd.exe, powershell.exe, wscript.exe
• Attack Surface Reduction rules- attack surface reduction rules allow blocking Adobe Reader from launching child processes. The rule name is Block Adobe Reader from creating child processes, GUID 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c.
• Other recommended features- N/A

Block download or creation of executable content

• Applies to- CertUtil: Block download or creation of executable
• Processes- certutil.exe
• Operation- File Creation
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- *.exe
• Attack Surface Reduction rules- attack surface reduction rules don't support these scenarios because they're a part of Microsoft Defender Antivirus protection.
• Other recommended features- Microsoft Defender Antivirus prevents CertUtil from creating or downloading executable content.

Block processes from stopping critical System components

• Applies to- All Processes
• Processes- *
• Operation- Process Termination
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- MsSense.exe, MsMpEng.exe, NisSrv.exe, svchost.exe*, services.exe, csrss.exe, smss.exe, wininit.exe, and more.
• Attack Surface Reduction rules- attack surface reduction rules don't support these scenarios because they're protected with Windows built-in security protections.
• Other recommended features- ELAM (Early Launch AntiMalware), PPL (Protection Process Light), PPL AntiMalware Light, and System Guard.

Block specific launch Process Attempt

• Applies to- Specific Processes
• Processes- Name your Process
• Operation- Process Execution
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- tor.exe, bittorrent.exe, cmd.exe, powershell.exe, and more
• Attack Surface Reduction rules- Overall, attack surface reduction rules aren't designed to function as an Application manager.
• Other recommended features- To prevent users from launching specific processes or programs, it's recommended to use Windows Defender Application Control. Microsoft Defender for Endpoint File and Cert indicators, can be used in an Incident Response scenario (shouldn't be seen as an application control mechanism).

Block unauthorized changes to Microsoft Defender Antivirus configurations

• Applies to- All Processes
• Processes- *
• Operation- Registry Modifications
• Examples of Files/Folders, Registry Keys/Values, Processes, Services- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowRealTimeMonitoring, and so on.
• Attack Surface Reduction rules- attack surface reduction rules don't cover these scenarios because they're part of the Microsoft Defender for Endpoint built-in protection.
• Other recommended features- Tamper Protection (opt-in, managed from Intune) prevents unauthorized changes to DisableAntiVirus, DisableAntiSpyware, DisableRealtimeMonitoring, DisableOnAccessProtection, DisableBehaviorMonitoring, and DisableIOAVProtection registry keys (and more).

See also

• Attack surface reduction FAQ
• Enable attack surface reduction rules
• Evaluate attack surface reduction rules

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.