Description of ASR-Rules
Attack Surface Reduction (ASR) rules in Microsoft Defender XDR are a set of security controls designed to minimize the attack surface of your organization by restricting behaviors commonly exploited by malware and adversaries. These rules help prevent actions such as launching executables from email or webmail, running obfuscated scripts, or allowing Office applications to create child processes.
Description KQL
KQL (Kusto Query Language) is the query language used in Advanced Hunting within Microsoft Defender XDR. It allows security analysts to perform fast, flexible, and detailed searches across security data, such as device logs, alerts, user activities, and threat signals.
With KQL, you can:
-
- Search across large datasets in real time
- Identify patterns, anomalies, and suspicious behaviors
- Correlate data from multiple sources (e.g., devices, identities, emails)
- Create custom detections and dashboards
The KQL
This advanced hunting query identifies instances where the Attack Surface Reduction (ASR) rule was triggered. It searches for executable and script files blocked or audited by Defender’s ASR rules across devices.
Key details returned include:
-
- Timestamp and device name
- Account that initiated the process
- Blocked file name and path
- Parent process name and command line
- File hashes (SHA256, SHA1)
- Action type and report ID
The query filters for common executable file types (e.g., .exe, ps1, .dll, etc.) and sorts the results by the most recent event.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | //****************************************** //** 310 - Files_ASRRule_BlockedProcesses ** //** Date: 11.11.2024 ** //** Beat ** //****************************************** // ActionType BLOCKED // - AsrLsassCredentialTheftBlocked (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) // - AsrVulnerableSignedDriverBlocked (56a863a9-875e-4185-98a7-b882c64b5ce5) // - AsrOfficeCommAppChildProcessBlocked (d4f940ab-401b-4efc-aadc-ad5f3c50688a) // - AsrOfficeMacroWin32ApiCallsBlocked (92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b) // - AsrOfficeProcessInjectionBlocked (75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84) // - AsrExecutableOfficeContentBlocked (3b576869-a4ec-4529-8536-b80a7769e899) // - AsrPsexecWmiChildProcessBlocked (d1e49aac-8f56-4280-b9ba-993a6d77406c) // - AsrUntrustedExecutableBlocked (01443614-cd74-433a-b99e-2ecdc07bfc25) // - AsrUntrustedUsbProcessBlocked (b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4) // - AsrAdobeReaderChildProcessBlocked (7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c) // - AsrOfficeChildProcessBlocked (d4f940ab-401b-4efc-aadc-ad5f3c50688a) // ActionType AUDITED // - AsrLsassCredentialTheftAudited (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) // - AsrVulnerableSignedDriverAudited (56a863a9-875e-4185-98a7-b882c64b5ce5) // - AsrOfficeCommAppChildProcessAudited (d4f940ab-401b-4efc-aadc-ad5f3c50688a) // - AsrOfficeMacroWin32ApiCallsAudited (92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b) // - AsrOfficeProcessInjectionAudited (75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84) // - AsrExecutableOfficeContentAudited (3b576869-a4ec-4529-8536-b80a7769e899) // - AsrPsexecWmiChildProcessAudited (d1e49aac-8f56-4280-b9ba-993a6d77406c) // - AsrUntrustedExecutableAudited (01443614-cd74-433a-b99e-2ecdc07bfc25) // - AsrUntrustedUsbProcessAudited (b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4) // - AsrAdobeReaderChildProcessAudited (7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c) // - AsrOfficeChildProcessAudited (d4f940ab-401b-4efc-aadc-ad5f3c50688a) let ActTypString = "AsrUntrustedExecutableBlocked"; DeviceEvents | where ActionType == ActTypString | where FileName matches regex @".*\.(exe|bat|cmd|vbs|js|ps1|dll|scr|com|cpl|accdb|lnk|LNK)$" | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, ActionType, ReportId, SHA256, SHA1 | sort by Timestamp desc |