Edit

Migrating from a non-Microsoft HIPS to attack surface reduction rules

  • Applies to: Microsoft Defender for Endpoint Plan 1, Microsoft Defender for Endpoint Plan 2

This article helps you map common rules to Microsoft Defender for Endpoint. For more information about ASR rules, see Attack surface reduction (ASR) rules overview.

Scenarios when migrating from a non-Microsoft HIPS product to attack surface reduction rules

Block creation of specific files

  • Applies to: All processes
  • Processes: N/A
  • Operation: File Creation
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • .jaff
    • .krab
    • .locky
    • .lukitus
    • .odin
    • .wnry
    • .zepto
  • Attack surface reduction rules:
    • ASR rules block attack techniques, not indicators of compromise (IOC).
    • Blocking a specific file extension isn't always useful, because it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.
  • Other recommended features:
    • Microsoft highly recommends enabling Microsoft Defender Antivirus, cloud protection and behavioral blocking.
    • Microsoft recommends other prevention measures, such as the ASR rule Use advanced protection against ransomware (c1db55ab-c21a-4637-bb3f-a12568109d35), which provides a greater level of protection against ransomware attacks.
    • Microsoft Defender for Endpoint monitors many of these registry keys, such as Autostart Extension Points (ASEP) techniques, which trigger specific alerts. The registry keys used require a minimum of Local Admin or Trusted Installer privileges. Microsoft recommends using a locked-down environment with minimum administrative accounts or rights. You can enable other system configurations, including disabling the SeDebugPrivilege as part of wider security recommendations.

Block creation of specific registry keys

  • Applies to: All Processes
  • Processes: N/A
  • Operation: Registry Modifications
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • HKCU\Environment\UserInitMprLogonScript
    • HKCU\Software\Microsoft\HtmlHelp Author\location
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs*\StartExe
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*\Debugger
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit*\MonitorProcess
  • Attack surface reduction rules:
    • ASR rules block attack techniques, not indicators of compromise (IOC).
    • Blocking a specific file extension isn't always useful, because it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.
  • Other recommended features:
    • Microsoft highly recommends enabling Microsoft Defender Antivirus, cloud protection and behavioral blocking.
    • Microsoft recommends other prevention measures, including the ASR rule Use advanced protection against ransomware (c1db55ab-c21a-4637-bb3f-a12568109d35), which provides a greater level of protection against ransomware attacks.
    • Microsoft Defender for Endpoint monitors many of these registry keys, such as Autostart Extension Points (ASEP) techniques, which trigger specific alerts. The registry keys used require a minimum of Local Admin or Trusted Installer privileges. Microsoft recommends using a locked-down environment with minimum administrative accounts or rights. You can enable other system configurations, including disabling the SeDebugPrivilege as part of wider security recommendations.

Block untrusted programs from running from removable drives

Block Mshta from launching certain child processes

  • Applies to: Mshta
  • Processes:
    • mshta.exe
  • Operation: Process Execution
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • cmd.exe
    • powershell.exe
    • regsvr32.exe
  • Attack surface reduction rules: There are no specific ASR rules to prevent child processes from mshta.exe. This type of control is available in exploit protection or Application Control for Windows.
  • Other recommended features:
    • Enable application control to prevent mshta.exe from running at all. If your organization requires mshta.exe for line of business apps, configure a specific exploit protection rule to prevent mshta.exe from launching child processes.

Block Outlook from launching child processes

  • Applies to: Outlook
  • Processes:
    • outlook.exe
  • Operation: Process Execution
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • powershell.exe
  • Attack surface reduction rules:
  • Other recommended features:

Block Office apps from launching child processes

  • Applies to: Office
  • Processes:
    • excel.exe
    • powerpnt.exe
    • winword.exe
  • Operation: Process Execution
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • EQNEDT32.EXE
    • cmd.exe
    • mshta.exe
    • powershell.exe
    • regsrv32.exe
    • wscript.exe
  • Attack surface reduction rules:
  • Other recommended features: N/A

Block Office apps from creating executable content

  • Applies to: Office
  • Processes:
    • winword.exe
    • powerpnt.exe
    • excel.exe
  • Operation: File Creation
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • C:\ProgramData**.com
    • C:\ProgramData**.exe
    • C:\ProgramData**.scf
    • C:\Users*AppData\Local\Temp**.com
    • C:\Users*\AppData**.exe
    • C:\Users*\AppData**.scf
    • C:\Users*\Desktop**.exe
    • C:\Users*\Downloads**.exe
    • C:\Users\Public**.exe
  • Attack surface reduction rules:

Block Wscript from reading certain types of files

  • Applies to: Wscript
  • Processes:
    • wscript.exe
  • Operation: File Read
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
  • C:\Users*\AppData**.js
  • C:\Users*\Downloads**.js
  • Attack surface reduction rules:
  • Other recommended features:
    • By default, the Antimalware Scan Interface (AMSI) can inspect various scripts in real time (for example, PowerShell, Windows Script Host, JavaScript, VBScript, and more). For more information, see Antimalware Scan Interface (AMSI).

Block launch of child processes

  • Applies to: Adobe Acrobat
  • Processes:
    • AcroRd32.exe
    • Acrobat.exe
  • Operation: Process Execution
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • cmd.exe
    • powershell.exe
    • wscript.exe
  • Attack surface reduction rules:
  • Other recommended features: N/A

Block download or creation of executable content

  • Applies to: CertUtil
  • Processes:
    • certutil.exe
  • Operation: File Creation
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • *.exe
  • Attack surface reduction rules:
    • ASR rules don't support these scenarios because they're included in Microsoft Defender Antivirus protection.
  • Other recommended features:
    • Microsoft Defender Antivirus prevents CertUtil from creating or downloading executable content.

Block processes from stopping critical System components

  • Applies to: All Processes
  • Processes:
    • *
  • Operation: Process Termination
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • MsMpEng.exe
    • MsSense.exe
    • NisSrv.exe
    • csrss.exe
    • services.exe
    • smss.exe
    • svchost.exe
    • wininit.exe
    • and more
  • Attack surface reduction rules: ASR rules don't support these scenarios because they're included in Windows built-in security protections.
  • Other recommended features:

Block specific launch Process Attempt

  • Applies to: Specific processes
  • Processes: Specific processes
  • Operation: Process Execution
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • tor.exe
    • bittorrent.exe
    • cmd.exe
    • powershell.exe
    • and more
  • Attack surface reduction rules:
    • Overall, ASR rules aren't designed to act as an application manager.
  • Other recommended features:
    • To prevent users from launching specific processes or programs, use Application Control for Windows.
    • Although it isn't an application control mechanism, you can use Microsoft Defender for Endpoint indicators of compromise (IOCs) for files and certificates in incident response scenarios.

Block unauthorized changes to Microsoft Defender Antivirus configurations

  • Applies to: All Processes
  • Processes:
    • *
  • Operation: Registry Modifications
  • Examples of Files/Folders, Registry Keys/Values, Processes, or Services:
    • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
    • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowRealTimeMonitoring
    • and more
  • Attack surface reduction rules: ASR rules don't support these scenarios because they're included in Microsoft Defender for Endpoint built-in protection.
  • Other recommended features:
    • Tamper protection in Microsoft Defender for Endpoint prevents unauthorized changes to the registry keys associated with Microsoft Defender Antivirus. For example:
    • DisableAntiVirus
    • DisableAntiSpyware
    • DisableRealtimeMonitoring
    • DisableOnAccessProtection
    • DisableBehaviorMonitoring
    • DisableIOAVProtection
    • and more

Related content

  • Last updated on