Attack Surface Reduction (ASR) rules minimize the vulnerability footprint of the operating system by restricting application behaviors that are technically valid but statistically associated with malware execution chains.
Block Office applications from creating child processes
Prevents Office applications (Word, Excel, PowerPoint) from spawning independent child processes (e.g., cmd.exe, powershell.exe). This breaks the "macro-to-shell" infection chain common in maldocs.
GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a
Block Office applications from creating executable content
Restricts Office applications from writing executable binary files (.exe, .dll, .vbs) to the disk. This prevents macros from acting as "droppers" for second-stage payloads.
GUID: 3b576869-a4ec-4529-8536-b80a7769e899
Block Office applications from injecting code into other processes
Prevents Office processes from writing to the memory space of other running applications. This mitigates "process hollowing" techniques used to hide malicious activity inside trusted processes like explorer.exe.
GUID: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
Block Win32 API calls from Office macros
Restricts VBA macros from calling deep Windows APIs (Win32). Malware often uses these APIs to bypass sandbox restrictions or execute shellcode directly from memory.
GUID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
Block Office communication application from creating child processes
Specifically targets Microsoft Outlook to prevent it from launching child processes. This mitigates exploits triggered via preview panes or social engineering attacks within email clients.
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Prevents unauthorized applications from reading the memory of the LSASS process. This directly mitigates tools like Mimikatz that attempt to dump NTLM hashes or Kerberos tickets from memory.
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block persistence through WMI event subscription
Prevents malware from registering WMI (Windows Management Instrumentation) event consumers. This stops "fileless" persistence mechanisms that trigger malicious code execution based on system events (e.g., startup, uptime).
GUID: e6db77e5-3ade-4e6f-9552-72943e20e966
Block process creations originating from PSExec and WMI commands
Blocks processes launched remotely via PSExec or WMI. This effectively halts lateral movement within a local network by preventing remote code execution on the host.
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
Block abuse of exploited vulnerable signed drivers
Prevents the loading of legitimate, signed drivers known to contain security vulnerabilities. This mitigates "Bring Your Own Vulnerable Driver" (BYOVD) attacks used to gain kernel-level access.
GUID: 56a863a9-875e-4185-98a7-b882c64b5ce5
Block execution of potentially obfuscated scripts
Uses the Antimalware Scan Interface (AMSI) to inspect script content (JS, VBS, PS1). If high-entropy obfuscation or evasion techniques are detected, execution is blocked immediately.
GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc
Block JavaScript or VBScript from launching downloaded executable content
Prevents scripts running via wscript.exe or cscript.exe from executing files downloaded from the internet. This mitigates standard "downloader" trojans.
GUID: d3e037e1-3eb8-44c8-a917-57927947596d
Block untrusted and unsigned processes that run from USB
Restricts the execution of unsigned or untrusted executables located on removable USB media. This prevents infection from compromised drives or "rubber ducky" style attacks.
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Blocks executable files that are new or unknown to the Microsoft Cloud. This "reputation-based" blocking is highly effective against unique, zero-day malware that has not yet been fingerprinted.
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
Block executable content from email client and webmail
Prevents email clients from launching executable attachments directly. This covers standard executables as well as scripts (.js, .vbs, .powershell).
GUID: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
Block Adobe Reader from creating child processes
Prevents Adobe Acrobat Reader from launching external applications. This mitigates PDF-based exploits that attempt to break out of the reader to execute shellcode.
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Use advanced protection against ransomware
Applies stricter heuristic monitoring to file system operations, specifically looking for bulk encryption or modification patterns associated with ransomware activity.
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35