Attackers may leverage Attack Surface Reduction (ASR) rule descriptions to identify potential mitigation strategies and evade detection by understanding which behaviors are being blocked. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover adversary attempts to bypass ASR protections and refine their defensive posture.
KQL Query
let AsrDescriptionTable = datatable(RuleDescription:string, RuleGuid:string)
[
"Block abuse of exploited vulnerable signed drivers","56a863a9-875e-4185-98a7-b882c64b5ce5",
"Block Adobe Reader from creating child processes","7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c",
"Block all Office applications from creating child processes","d4f940ab-401b-4efc-aadc-ad5f3c50688a",
"Block credential stealing from the Windows local security authority subsystem (lsass.exe)","9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2",
"Block executable content from email client and webmail","be9ba2d9-53ea-4cdc-84e5-9b1eeee46550",
"Block executable files from running unless they meet a prevalence, age, or trusted list criterion","01443614-cd74-433a-b99e-2ecdc07bfc25",
"Block execution of potentially obfuscated scripts","5beb7efe-fd9a-4556-801d-275e5ffc04cc",
"Block JavaScript or VBScript from launching downloaded executable content","d3e037e1-3eb8-44c8-a917-57927947596d",
"Block Office applications from creating executable content","3b576869-a4ec-4529-8536-b80a7769e899",
"Block Office applications from injecting code into other processes","75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84",
"Block Office communication application from creating child processes","26190899-1602-49e8-8b27-eb1d0a1ce869",
"Block persistence through WMI event subscription ","e6db77e5-3df2-4cf1-b95a-636979351e5b",
"Block process creations originating from PSExec and WMI commands","d1e49aac-8f56-4280-b9ba-993a6d77406c",
"Block rebooting machine in Safe Mode (preview)","33ddedf1-c6e0-47cb-833e-de6133960387",
"Block untrusted and unsigned processes that run from USB","b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4",
"Block use of copied or impersonated system tools (preview)","c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb",
"Block Webshell creation for Servers","a8f5898e-1dc8-49a9-9878-85004b8a61e6",
"Block Win32 API calls from Office macro","92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b",
"Use advanced protection against ransomware","c1db55ab-c21a-4637-bb3f-a12568109d35",
];
// Now we query the DeviceEvents table for events where the ActionType field starts with "Asr" - which should cover values such as AsrExecutableEmailContentAudited, AsrExecutableEmailContentBlocked, AsrOfficeChildProcessAudited, ....
DeviceEvents
| where ActionType startswith "Asr"
// since the RuleGuid is stored inside the additionlfields column, we need to extract it for the join
// we extend the results to include a new "RuleGuid" column that is populated by the extracted RuleId from the json data in AdditionalFields.
// we execute a tolower() on the data to make sure it's consistent as we're going to be matching string values. If we have entries thata are uppercase tolower() makes them all lowercase. We'll do the same with our AsrDescriptionTable data later in the join statement
// and finally we also extend the results with the extracted "IsAudit" column populated from AdditionalFields. This allow us to determine if the event was blocked or merely audited
| extend RuleGuid = tolower(tostring(parsejson(AdditionalFields).RuleId))
| extend IsAudit = parse_json(AdditionalFields).IsAudit
| project DeviceName, RuleGuid, DeviceId, IsAudit
// Now we're making our join back to the earlier defined table of rule descriptions and guids (applying that tolower() statement for consistency) and finally outputting our summary counts
// We're projecting both the RuleDescription and the RuleGuid. If there is a new rule that is *NOT* in our table above, we'll get a row with no description, but including the Guid so we can find it and update the table
| join kind = leftouter (AsrDescriptionTable | project RuleGuid = tolower(RuleGuid), RuleDescription) on RuleGuid
| summarize MachinesWithAuditEvents = dcountif(DeviceId,IsAudit==1), MachinesWithBlockEvents = dcountif(DeviceId, IsAudit==0), AllEvents=count() by RuleDescription, RuleGuid
id: 8ab60d62-b4a3-431b-8cd9-9a080213afc0
name: ExploitGuardAsrDescriptions
description: |
Expanding on DeviceEvents output with Attack Surface Reduction (ASR) rule descriptions.
The ActionType values of the ASR events already explain what rule was matched and if it was audited or blocked.
However, it could still be useful to have a more human-friendly description in the results.
Also, this query is a good example for how you could define your own lookup tables and join with them.
The events in the DeviceEvents table contain a GUID for the various ASR rules rather than a full description of the rule.
This query will create a table which has the description for each ASR rule as per https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.
This table is then joined to the output of a query against the DeviceEvents table and shows a summary count of the events by the newly defined description.
This query shows the ability to use joins and custom dimension tables.
See https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/join-operator for more information on the join syntax.
For more questions on this query, feel free to ping @FlyingBlueMonki on twitter or [email protected] via email.
First lets start by creating a table of the rule descriptions to rule guids.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
let AsrDescriptionTable = datatable(RuleDescription:string, RuleGuid:string)
[
"Block abuse of exploited vulnerable signed drivers","56a863a9-875e-4185-98a7-b882c64b5ce5",
"Block Adobe Reader from creating child processes","7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c",
"Block all Office applications from creating child processes","d4f940ab-401b-4efc-aadc-ad5f3c50688a",
"Block credential stealing from the Windows local security authority subsystem (lsass.exe)","9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2",
"Block executable content from email client and webmail","be9ba2d9-53ea-4cdc-84e5-9b1eeee46550",
"Block executable files from running unless they meet a prevalence, age, or trusted list criterion","01443614-cd74-433a-b99e-2ecdc07bfc25",
"Block execution of potentially obfuscated scripts","5beb7efe-fd9a-4556-801d-275e5ffc04cc",
"Block JavaScript or VBScript from launching downloaded executable content","d3e037e1-3eb8-44c8-a917-57927947596d",
"Block Office applications from creating executable content","3b576869-a4ec-4529-8536-b80a7769e899",
"Block Office applications from injecting code into other processes","75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84",
"Block Office communication application from creating child processes","26190899-1602-49e8-8b27-eb1d0a1ce869",
"Block persistence through WMI event subscription ","e6db77e5-3df2-4cf1-b95a-636979351e5b",
"Block process creations originating from PSExec and WMI commands","d1e49aac-8f56-4280-b9ba-993a6d77406c",
"Block rebooti| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task (e.g., Task Scheduler or PowerShell job) is performing routine system maintenance, such as disk cleanup or log rotation, which triggers an ASR rule related to file modification.
Filter/Exclusion: Exclude events where the process is svchost.exe or taskhost.exe and the task is known to be part of a scheduled maintenance plan (e.g., Cleanup-System-Files or Log-Backup).
Scenario: Admin Performing File Integrity Check
Description: An administrator is using a tool like Sysinternals Process Monitor or Windows Defender Offline Scan to check file integrity, which may trigger an ASR rule related to file access or modification.
Filter/Exclusion: Exclude events where the process is procmon.exe, msseces.exe, or microsoft-edge.exe and the user is a domain admin with elevated privileges.
Scenario: Software Update Deployment via SCCM
Description: A Software Center or SCCM (System Center Configuration Manager) update deployment is modifying files on endpoints, which may match an ASR rule related to file changes or execution.
Filter/Exclusion: Exclude events where the process is ccmexec.exe or msiexec.exe and the file path is within a known update directory (e.g., C:\Windows\Temp\ or C:\Program Files\Microsoft Configuration Manager\).
Scenario: User-Initiated File Copy or Move
Description: A user is manually copying or moving files using tools like Robocopy, xcopy, or File Explorer, which may trigger an ASR rule related to file operations.
Filter/Exclusion: Exclude events where the process is robocopy.exe,