{
	"id": "f0743004-afbb-4f09-947a-a1ad8edc4874",
	"created_at": "2026-04-06T03:36:55.194378Z",
	"updated_at": "2026-04-10T03:24:29.460245Z",
	"deleted_at": null,
	"sha1_hash": "f22d8bc05b9aa6066d3f610038ee493c8eecdd54",
	"title": "Attack surface reduction rules reference - Microsoft Defender for Endpoint",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 189806,
	"plain_text": "Attack surface reduction rules reference - Microsoft Defender for\r\nEndpoint\r\nBy limwainstein\r\nArchived: 2026-04-06 03:31:55 UTC\r\nThis article provides information about Microsoft Defender for Endpoint attack surface reduction rules (ASR\r\nrules):\r\nASR rules supported operating system versions\r\nASR rules supported configuration management systems\r\nPer ASR rule alert and notification details\r\nASR rule to GUID matrix\r\nASR rule modes\r\nPer-rule-descriptions\r\nImportant\r\nSome information in this article relates to a prereleased product which may be substantially modified before it's\r\ncommercially released. Microsoft makes no warranties, expressed or implied, with respect to the information\r\nprovided here.\r\nWindows\r\nAttack surface reduction rules are categorized as one of two types:\r\nStandard protection rules: Are the minimum set of rules which Microsoft recommends you always\r\nenable, while you're evaluating the effect and configuration needs of the other ASR rules. These rules\r\ntypically have minimal-to-no noticeable effect on the end user.\r\nOther rules: Rules that require some measure of following the documented deployment steps [Plan \u003e Test\r\n(audit) \u003e Enable (block/warn modes)], as documented in the Attack surface reduction rules deployment\r\nguide.\r\nFor the easiest method to enable the standard protection rules, see Simplified standard protection option.\r\nASR rule name\r\nStandard\r\nprotection\r\nrule?\r\nOther\r\nrule?\r\nBlock abuse of exploited vulnerable signed drivers Yes\r\nBlock Adobe Reader from creating child processes¹ Yes\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 1 of 21\n\nASR rule name\r\nStandard\r\nprotection\r\nrule?\r\nOther\r\nrule?\r\nBlock all Office applications from creating child processes Yes\r\nBlock credential stealing from the Windows local security authority subsystem\r\n(lsass.exe)¹ ²\r\nYes\r\nBlock executable content from email client and webmail Yes\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list\r\ncriterion³\r\nYes\r\nBlock execution of potentially obfuscated scripts Yes\r\nBlock JavaScript or VBScript from launching downloaded executable content Yes\r\nBlock Office applications from creating executable content¹ Yes\r\nBlock Office applications from injecting code into other processes¹ ² Yes\r\nBlock Office communication application from creating child processes¹ Yes\r\nBlock persistence through WMI event subscription Yes\r\nBlock process creations originating from PSExec and WMI commands¹ Yes\r\nBlock rebooting machine in Safe Mode Yes\r\nBlock untrusted and unsigned processes that run from USB Yes\r\nBlock use of copied or impersonated system tools Yes\r\nBlock Webshell creation for Servers Yes\r\nBlock Win32 API calls from Office macros⁴ Yes\r\nUse advanced protection against ransomware Yes\r\n¹ This ASR rule doesn't honor Microsoft Defender Antivirus exclusions. For information about configuring ASR\r\nper-rule exclusions, see Configure attack surface reduction per-rule exclusions.\r\n² This ASR rule doesn't honor Microsoft Defender for Endpoint Indicators of Compromise (IOC) for files or\r\ncertificates.\r\n³ Currently, this ASR rule might not be available in the Intune Attack Surface Reduction policy configuration due\r\nto a known backend issue. But, the rule still exists and is available through other methods. For example, Microsoft\r\nDefender for Endpoint security settings management, Configuration Service Provider (CSP), Add-MpPreference,\r\nor existing Intune ASR policy configuration in rules created before the issue.\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 2 of 21\n\n⁴ This ASR rule doesn't honor Microsoft Defender for Endpoint Indicators of Compromise (IOC) for certificates.\r\nThe following table lists the supported operating systems for rules that are currently released to general\r\navailability. The rules are listed alphabetical order in this table.\r\nNote\r\nUnless otherwise indicated, the minimum Windows 10 build is version 1709 (RS3, build 16299) or later; the\r\nminimum Windows Server build is version 1809 or later. Attack surface reduction rules in Windows Server 2012\r\nR2 and Windows Server 2016 are available for devices onboarded using the modern unified solution package. For\r\nmore information, see New Windows Server 2012 R2 and 2016 functionality in the modern unified solution.\r\nRule name\r\nWindows 10 and\r\n11\r\nWindows Server\r\nversion 1803, 2019, and\r\nlater\r\nWindows Server\r\n2016 and 2012 R2\r\nBlock abuse of exploited\r\nvulnerable signed drivers\r\nY\r\nY\r\nWindows 10 version\r\n1803 (Semi-Annual\r\nEnterprise Channel) or\r\nlater\r\nY\r\nBlock Adobe Reader from creating\r\nchild processes\r\nY\r\nWindows 10\r\nversion 1809 or\r\nlater\r\nY Y\r\nBlock all Office applications from\r\ncreating child processes\r\nY Y Y\r\nBlock credential stealing from the\r\nWindows local security authority\r\nsubsystem (lsass.exe)\r\nY\r\nWindows 10\r\nversion 1803 or\r\nlater\r\nY Y\r\nBlock executable content from\r\nemail client and webmail\r\nY Y Y\r\nBlock executable files from\r\nrunning unless they meet a\r\nprevalence, age, or trusted list\r\ncriterion*\r\nY\r\nWindows 10\r\nversion 1803 or\r\nlater\r\nY Y\r\nBlock execution of potentially\r\nobfuscated scripts\r\nY Y Y\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 3 of 21\n\nRule name\r\nWindows 10 and\r\n11\r\nWindows Server\r\nversion 1803, 2019, and\r\nlater\r\nWindows Server\r\n2016 and 2012 R2\r\nBlock JavaScript or VBScript from\r\nlaunching downloaded executable\r\ncontent\r\nY Y N\r\nBlock Office applications from\r\ncreating executable content\r\nY Y Y\r\nBlock Office applications from\r\ninjecting code into other processes\r\nY Y Y\r\nBlock Office communication\r\napplication from creating child\r\nprocesses\r\nY Y Y\r\nBlock persistence through\r\nWindows Management\r\nInstrumentation (WMI) event\r\nsubscription\r\nY\r\nWindows 10\r\nversion 1903\r\n(build 18362) or\r\nlater\r\nY\r\nWindows 10 version\r\n1903 (build 18362) or\r\nlater\r\nN\r\nBlock process creations originating\r\nfrom PSExec and WMI commands\r\nY\r\nWindows 10\r\nversion 1803 or\r\nlater\r\nY Y\r\nBlock rebooting machine in Safe\r\nMode\r\nY Y Y\r\nBlock untrusted and unsigned\r\nprocesses that run from USB\r\nY Y Y\r\nBlock use of copied or\r\nimpersonated system tools\r\nY Y Y\r\nBlock Webshell creation for\r\nServers\r\nN\r\nY\r\nExchange role only\r\nY on Windows\r\nServer 2016\r\nExchange role\r\nonly\r\nN on Windows\r\nServer 2012 R2\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 4 of 21\n\nRule name\r\nWindows 10 and\r\n11\r\nWindows Server\r\nversion 1803, 2019, and\r\nlater\r\nWindows Server\r\n2016 and 2012 R2\r\nBlock Win32 API calls from Office\r\nmacros\r\nY N N\r\nUse advanced protection against\r\nransomware\r\nY\r\nWindows 10\r\nversion 1803 or\r\nlater\r\nY Y\r\n*\r\n Currently, this ASR rule might not be available in the Intune Attack Surface Reduction policy configuration due\r\nto a known backend issue. But, the rule still exists and is available through other methods. For example, Microsoft\r\nDefender for Endpoint security settings management, Configuration Service Provider (CSP), Add-MpPreference,\r\nor existing Intune ASR policy configuration in rules created before the issue).\r\nNote\r\nFor Windows Server 2012 R2 and Windows Server 2016, see Onboard Windows Server 2016 and\r\nWindows Server 2012 R2.\r\nIf you're using Configuration Manager, the minimum required version of Microsoft Configuration Manager\r\nis version 2111 (December 2021).\r\nLinks to information about configuration management system versions referenced in this table are listed below\r\nthis table.\r\nRule name\r\nMicrosoft\r\nIntune\r\nMicrosoft\r\nConfiguration\r\nManager\r\nGroup\r\nPolicy[1] PowerShell[1]\r\nBlock abuse of exploited vulnerable\r\nsigned drivers\r\nY Y Y\r\nBlock Adobe Reader from creating\r\nchild processes\r\nY Y Y\r\nBlock all Office applications from\r\ncreating child processes\r\nY\r\nY\r\nCurrent Branch\r\n(CB) 1710\r\nY Y\r\nBlock credential stealing from the\r\nWindows local security authority\r\nsubsystem (lsass.exe)\r\nY\r\nY\r\nCB 1802\r\nY Y\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 5 of 21\n\nRule name\r\nMicrosoft\r\nIntune\r\nMicrosoft\r\nConfiguration\r\nManager\r\nGroup\r\nPolicy[1] PowerShell[1]\r\nBlock executable content from email\r\nclient and webmail\r\nY\r\nY\r\nCB 1710\r\nY\r\nBlock executable files from running\r\nunless they meet a prevalence, age,\r\nor trusted list criterion*\r\nY\r\nY\r\nCB 1802\r\nY Y\r\nBlock execution of potentially\r\nobfuscated scripts\r\nY\r\nY\r\nCB 1710\r\nY Y\r\nBlock JavaScript or VBScript from\r\nlaunching downloaded executable\r\ncontent\r\nY\r\nY\r\nCB 1710\r\nY Y\r\nBlock Office applications from\r\ncreating executable content\r\nY\r\nY\r\nCB 1710\r\nY Y\r\nBlock Office applications from\r\ninjecting code into other processes\r\nY\r\nY\r\nCB 1710\r\nY Y\r\nBlock Office communication\r\napplication from creating child\r\nprocesses\r\nY\r\nY\r\nCB 1710\r\nY Y\r\nBlock persistence through WMI\r\nevent subscription\r\nY Y Y\r\nBlock process creations originating\r\nfrom PSExec and WMI commands\r\nY Y Y\r\nBlock rebooting machine in Safe\r\nMode\r\nY Y Y\r\nBlock untrusted and unsigned\r\nprocesses that run from USB\r\nY\r\nY\r\nCB 1802\r\nY Y\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 6 of 21\n\nRule name\r\nMicrosoft\r\nIntune\r\nMicrosoft\r\nConfiguration\r\nManager\r\nGroup\r\nPolicy[1] PowerShell[1]\r\nBlock use of copied or impersonated\r\nsystem tools\r\nY Y Y\r\nBlock Webshell creation for Servers Y Y Y\r\nBlock Win32 API calls from Office\r\nmacros\r\nY\r\nY\r\nCB 1710\r\nY Y\r\nUse advanced protection against\r\nransomware\r\nY\r\nY\r\nCB 1802\r\nY Y\r\n(1) You can configure attack surface reduction rules on a per-rule basis by using any rule's GUID.\r\n*\r\n Currently, this ASR rule might not be available in the Intune Attack Surface Reduction policy configuration due\r\nto a known backend issue. But, the rule still exists and is available through other methods. For example, Microsoft\r\nDefender for Endpoint security settings management, Configuration Service Provider (CSP), Add-MpPreference,\r\nor existing Intune ASR policy configuration in rules created before the issue).\r\nConfiguration Manager CB 1710\r\nConfiguration Manager CB 1802\r\nMicrosoft Configuration Manager CB 1710\r\nSystem Center Configuration Manager (SCCM) CB 1710\r\nSCCM is now Microsoft Configuration Manager.\r\nToast notifications are generated for all rules in Block mode. Rules in any other mode don't generate toast\r\nnotifications.\r\nFor rules with the \"Rule State\" specified:\r\nASR rules with \\ASR Rule, Rule State\\ combinations are used to surface alerts (toast notifications) on\r\nMicrosoft Defender for Endpoint only for devices set at the cloud block level High .\r\nDevices that aren't set at the cloud block level High don't generate alerts for any ASR Rule, Rule State\r\ncombinations.\r\nEndpoint Detection and Response (EDR) alerts are generated for ASR rules in the specified states, for\r\ndevices set at the cloud block level High+ .\r\nToast notifications occur in block mode only and for devices set at the cloud block level High .\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 7 of 21\n\nRule name Rule state EDR alerts\r\nToast\r\nnotifications\r\nBlock abuse of exploited vulnerable signed drivers N Y\r\nBlock Adobe Reader from creating child processes Block Y Y\r\nBlock all Office applications from creating child processes N Y\r\nBlock credential stealing from the Windows local security\r\nauthority subsystem (lsass.exe)\r\nN N\r\nBlock executable content from email client and webmail\r\nAudit or\r\nBlock\r\nY (in block\r\nmode)\r\nN (in audit\r\nmode)\r\nY (in block\r\nmode)\r\nBlock executable files from running unless they meet a\r\nprevalence, age, or trusted list criterion*\r\nN Y\r\nBlock execution of potentially obfuscated scripts Y\r\nY (in block\r\nmode)\r\nBlock JavaScript or VBScript from launching downloaded\r\nexecutable content\r\nBlock Y Y\r\nBlock Office applications from creating executable content N Y\r\nBlock Office applications from injecting code into other\r\nprocesses\r\nN Y\r\nBlock Office communication application from creating\r\nchild processes\r\nN Y\r\nBlock persistence through WMI event subscription Y\r\nY (in block\r\nmode)\r\nBlock process creations originating from PSExec and\r\nWMI commands\r\nN Y\r\nBlock rebooting machine in Safe Mode N N\r\nBlock untrusted and unsigned processes that run from\r\nUSB\r\nY\r\nY (in block\r\nmode)\r\nBlock use of copied or impersonated system tools N\r\nY (in block\r\nmode)\r\nBlock Webshell creation for Servers N N\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 8 of 21\n\nRule name Rule state EDR alerts\r\nToast\r\nnotifications\r\nBlock Win32 API calls from Office macros N Y\r\nUse advanced protection against ransomware Y\r\nY (in block\r\nmode)\r\n*\r\n Currently, this ASR rule might not be available in the Intune Attack Surface Reduction policy configuration due\r\nto a known backend issue. But, the rule still exists and is available through other methods. For example, Microsoft\r\nDefender for Endpoint security settings management, Configuration Service Provider (CSP), Add-MpPreference,\r\nor existing Intune ASR policy configuration in rules created before the issue).\r\nRule Name Rule GUID\r\nBlock abuse of exploited vulnerable signed drivers\r\n56a863a9-875e-4185-98a7-\r\nb882c64b5ce5\r\nBlock Adobe Reader from creating child processes\r\n7674ba52-37eb-4a4f-a9a1-\r\nf0f9a1619a2c\r\nBlock all Office applications from creating child processes\r\nd4f940ab-401b-4efc-aadc-ad5f3c50688a\r\nBlock credential stealing from the Windows local security authority\r\nsubsystem (lsass.exe)\r\n9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2\r\nBlock executable content from email client and webmail\r\nbe9ba2d9-53ea-4cdc-84e5-\r\n9b1eeee46550\r\nBlock executable files from running unless they meet a prevalence, age,\r\nor trusted list criterion*\r\n01443614-cd74-433a-b99e-2ecdc07bfc25\r\nBlock execution of potentially obfuscated scripts\r\n5beb7efe-fd9a-4556-801d-275e5ffc04cc\r\nBlock JavaScript or VBScript from launching downloaded executable\r\ncontent\r\nd3e037e1-3eb8-44c8-a917-\r\n57927947596d\r\nBlock Office applications from creating executable content\r\n3b576869-a4ec-4529-8536-\r\nb80a7769e899\r\nBlock Office applications from injecting code into other processes\r\n75668c1f-73b5-4cf0-bb93-\r\n3ecf5cb7cc84\r\nBlock Office communication application from creating child processes\r\n26190899-1602-49e8-8b27-\r\neb1d0a1ce869\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 9 of 21\n\nRule Name Rule GUID\r\nBlock persistence through WMI event subscription\r\n* File and folder exclusions not supported.\r\ne6db77e5-3df2-4cf1-b95a-636979351e5b\r\nBlock process creations originating from PSExec and WMI commands\r\nd1e49aac-8f56-4280-b9ba-993a6d77406c\r\nBlock rebooting machine in Safe Mode\r\n33ddedf1-c6e0-47cb-833e-de6133960387\r\nBlock untrusted and unsigned processes that run from USB\r\nb2b3f03d-6a65-4f7b-a9c7-\r\n1c7ef74a9ba4\r\nBlock use of copied or impersonated system tools\r\nc0033c00-d16d-4114-a5a0-\r\ndc9b3a7d2ceb\r\nBlock Webshell creation for Servers\r\na8f5898e-1dc8-49a9-9878-\r\n85004b8a61e6\r\nBlock Win32 API calls from Office macros\r\n92e97fa1-2edf-4476-bdd6-\r\n9dd0b4dddc7b\r\nUse advanced protection against ransomware\r\nc1db55ab-c21a-4637-bb3f-a12568109d35\r\n*\r\n Currently, this ASR rule might not be available in the Intune Attack Surface Reduction policy configuration due\r\nto a known backend issue. But, the rule still exists and is available through other methods. For example, Microsoft\r\nDefender for Endpoint security settings management, Configuration Service Provider (CSP), Add-MpPreference,\r\nor existing Intune ASR policy configuration in rules created before the issue).\r\nRule mode Code Description\r\nNot configured or\r\nDisabled\r\n0 The ASR rule isn't enabled or is disabled.\r\nBlock 1 The ASR rule is enabled in block mode.\r\nAudit 2\r\nThe ASR rule is evaluated for the effect on the environment if enabled in\r\nBlock or Warn mode.\r\nWarn 6\r\nThe ASR rule is enabled and presents a notification to the user, but the\r\nuser can bypass the block.\r\nWarn is a type of block that alerts users to potentially risky actions via a warning pop-up. Users can select OK to\r\nenforce the block, or select Unblock to bypass the block for the next 24 hours. After 24 hours, the user needs to\r\nallow the block again.\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 10 of 21\n\nWarn mode for ASR rules is supported only in Windows 10 version 1809 or later. Older versions of Windows 10\r\nwith a Warn mode rule assigned are effectively in Block mode.\r\nIn PowerShell, you can create an ASR rule in warn mode by specifying the AttackSurfaceReductionRules_Actions\r\nparameter with the value Warn . For example:\r\nAdd-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionR\r\nNote\r\nTo protect your environment from vulnerable drivers, you should first implement these methods:\r\nFor Windows 10 or later, Windows Server 2016 or later using Microsoft App Control for Business, you\r\nshould block all drivers by default and only allow drivers that you deem necessary and aren't known to be\r\nvulnerable.\r\nFor Windows 8.1 or older, Windows Server 2012 R2 or older, using Microsoft AppLocker, you should\r\nblock all drivers by default and only allow drivers that you deem necessary and aren't known to be\r\nvulnerable.\r\nFor Windows 11 or later, and Windows Server core 1809 or later, or Windows Server 2019 or later, you\r\nshould also enable Microsoft Windows vulnerable driver block list. Then, as another layer of defense, you\r\nshould enable this attack surface reduction rule.\r\nThis rule prevents an application from writing a vulnerable signed driver to disk. In-the-wild, local applications\r\nwith sufficient privileges can exploit vulnerable signed drivers to gain access to the kernel. Vulnerable signed\r\ndrivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise.\r\nThe Block abuse of exploited vulnerable signed drivers rule doesn't block a driver already existing on the\r\nsystem from being loaded.\r\nIntune Name: Block abuse of exploited vulnerable signed drivers\r\nConfiguration Manager name: Not yet available\r\nGUID: 56a863a9-875e-4185-98a7-b882c64b5ce5\r\nAdvanced hunting action type:\r\nAsrVulnerableSignedDriverAudited\r\nAsrVulnerableSignedDriverBlocked\r\nThis rule prevents attacks by blocking Adobe Reader from creating processes.\r\nMalware can download and launch payloads and break out of Adobe Reader through social engineering or\r\nexploits. By blocking Adobe Reader from generating child processes, malware attempting to use Adobe Reader as\r\nan attack vector are prevented from spreading.\r\nIntune name: Process creation from Adobe Reader (beta)\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 11 of 21\n\nConfiguration Manager name: Not yet available\r\nGUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c\r\nAdvanced hunting action type:\r\nAsrAdobeReaderChildProcessAudited\r\nAsrAdobeReaderChildProcessBlocked\r\nDependencies: Microsoft Defender Antivirus\r\nThis rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint,\r\nOneNote, and Access.\r\nCreating malicious child processes is a common malware strategy. Malware that abuses Office as a vector often\r\nruns VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate\r\nline-of-business applications might also generate child processes for benign purposes. For example, spawning a\r\nCommand Prompt or using PowerShell to configure registry settings.\r\nIntune name: Office apps launching child processes\r\nConfiguration Manager name: Block Office application from creating child processes\r\nGUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a\r\nAdvanced hunting action type:\r\nAsrOfficeChildProcessAudited\r\nAsrOfficeChildProcessBlocked\r\nDependencies: Microsoft Defender Antivirus\r\nNote\r\nIf you have LSA protection enabled, this attack surface reduction rule isn't required. For a more secure posture, we\r\nalso recommend enabling Credential Guard with the LSA protection.\r\nIf the LSA protection is enabled, the ASR rule is classified as not applicable in Defender for Endpoint\r\nmanagement settings in the Microsoft Defender portal.\r\nThis rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).\r\nLSASS authenticates users who sign in on a Windows computer. Credential Guard in Windows normally prevents\r\nattempts to extract credentials from LSASS. Some organizations can't enable Credential Guard on all of their\r\ncomputers because of compatibility issues with custom smartcard drivers or other programs that load into the\r\nLocal Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext\r\npasswords and NTLM hashes from LSASS.\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 12 of 21\n\nBy default the state of this rule is set to not configured (disabled). In most cases, many processes make calls to\r\nLSASS for access rights that aren't needed. For example, when the initial block from the ASR rule results in a\r\nsubsequent call for a lesser privilege that succeeds. For information about the types of rights that are typically\r\nrequested in process calls to LSASS, see Process Security and Access Rights.\r\nEnabling this rule doesn't provide extra protection if you have LSA protection enabled since the ASR rule and\r\nLSA protection work similarly. However, if you can't enable LSA protection, you can configure this rule to\r\nprovide equivalent protection against malware that targets lsass.exe .\r\nTip\r\nASR audit events don't generate toast notifications. The LSASS ASR rule produces large volume of audit\r\nevents, almost all of which are safe to ignore when the rule is enabled in block mode. You can choose to\r\nskip the audit mode evaluation and proceed to block mode deployment. We recommend starting with a\r\nsmall set of devices and gradually expanding to cover the rest.\r\nThe rule is designed to suppress block reports/toasts for friendly processes. It's also designed to drop\r\nreports for duplicate blocks. As such, the rule is well suited to be enabled in block mode, irrespective of\r\nwhether toast notifications are enabled or disabled.\r\nASR in warn mode is designed to present users with a block toast notification that includes an \"Unblock\"\r\nbutton. Due to the \"safe to ignore\" nature of LSASS ASR blocks and their large volume, WARN mode isn't\r\nadvisable for this rule (irrespective of whether toast notifications are enabled or disabled).\r\nThis rule is designed to block the processes from accessing LSASS.EXE process memory. It doesn't block\r\nthem from running. If you see processes like svchost.exe being blocked, it's only blocking from accessing\r\nLSASS process memory. Thus, svchost.exe and other processes can be safely ignored. The one exception is\r\nin the following known issues.\r\nNote\r\nIn this scenario, the ASR rule is classified as \"not applicable\" in Defender for Endpoint settings in the Microsoft\r\nDefender portal.\r\nThe Block credential stealing from the Windows local security authority subsystem ASR rule doesn't support warn\r\nmode.\r\nIn some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions.\r\nThis rule denies the app's process open action and logs the details to the security event log. This rule can generate\r\nnumerous noise. If you have an app that simply enumerates LSASS, but has no real effect in functionality, there's\r\nno need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.\r\nIntune name: Flag credential stealing from the Windows local security authority subsystem\r\nConfiguration Manager name: Block credential stealing from the Windows local security authority\r\nsubsystem\r\nGUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2\r\nAdvanced hunting action type:\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 13 of 21\n\nAsrLsassCredentialTheftAudited\r\nAsrLsassCredentialTheftBlocked\r\nDependencies: Microsoft Defender Antivirus\r\nKnown issues: These applications and \"Block credential stealing from the Windows local security authority\r\nsubsystem\" rule, are incompatible:\r\nApplication name For information\r\nQuest Dirsync\r\nPassword Sync\r\nDirsync Password Sync isn't working when Windows Defender is installed, error:\r\n\"VirtualAllocEx failed: 5\" (4253914)\r\nFor technical support, contact the software publisher.\r\nThis rule blocks email opened within the Microsoft Outlook application, or Outlook.com and other popular\r\nwebmail providers from propagating the following file types:\r\nExecutable files (such as .exe, .dll, or .scr)\r\nScript files (such as a PowerShell.ps1, Visual Basic .vbs, or JavaScript .js file)\r\nArchive files (such as .zip and others)\r\nIntune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email\r\n(webmail/mail client) (no exceptions)\r\nMicrosoft Configuration Manager name: Block executable content from email client and webmail\r\nGUID: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550\r\nAdvanced hunting action type:\r\nAsrExecutableEmailContentAudited\r\nAsrExecutableEmailContentBlocked\r\nDependencies: Microsoft Defender Antivirus\r\nNote\r\nThe rule Block executable content from email client and webmail has the following alternative descriptions,\r\ndepending on which application you use:\r\nIntune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from\r\nemail (webmail/mail client) (no exceptions).\r\nConfiguration Manager: Block executable content download from email and webmail clients.\r\nGroup Policy: Block executable content from email client and webmail.\r\nTip\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 14 of 21\n\n*\r\n Currently, this ASR rule might not be available in the Intune Attack Surface Reduction policy configuration due\r\nto a known backend issue. But, the rule still exists and is available through other methods. For example, Microsoft\r\nDefender for Endpoint security settings management, Configuration Service Provider (CSP), Add-MpPreference,\r\nor existing Intune ASR policy configuration in rules created before the issue).\r\nThis rule blocks executable files, such as .exe, .dll, or .scr, from launching. Thus, launching untrusted or unknown\r\nexecutable files can be risky, as it might not be initially clear if the files are malicious.\r\nImportant\r\nYou must enable cloud-delivered protection to use this rule. This rule uses cloud-delivered protection to update its\r\ntrusted list regularly. You can specify individual files or folders by using folder paths or fully qualified resource\r\nnames. It also supports the ASROnlyPerRuleExclusions setting.\r\nIntune name: Executables that don't meet a prevalence, age, or trusted list criteria\r\nConfiguration Manager name: Block executable files from running unless they meet a prevalence, age,\r\nor trusted list criteria\r\nGUID: 01443614-cd74-433a-b99e-2ecdc07bfc25\r\nAdvanced hunting action type:\r\nAsrUntrustedExecutableAudited\r\nAsrUntrustedExecutableBlocked\r\nDependencies: Microsoft Defender Antivirus, Cloud Protection\r\nThis rule detects suspicious properties within an obfuscated script.\r\nNote\r\nPowerShell scripts are now supported for the \"Block execution of potentially obfuscated scripts\" rule.\r\nImportant\r\nYou must enable cloud-delivered protection to use this rule.\r\nScript obfuscation is a common technique that both malware authors and legitimate applications use to hide\r\nintellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious\r\ncode harder to read, which hampers close scrutiny by humans and security software.\r\nIntune name: Obfuscated js/vbs/ps/macro code\r\nConfiguration Manager name: Block execution of potentially obfuscated scripts\r\nGUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc\r\nAdvanced hunting action type:\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 15 of 21\n\nAsrObfuscatedScriptAudited\r\nAsrObfuscatedScriptBlocked\r\nDependencies: Microsoft Defender Antivirus, Anti-malware Scan Interface (AMSI), Cloud Protection\r\nThis rule prevents scripts from launching potentially malicious downloaded content. Malware written in\r\nJavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. Although\r\nnot common, line-of-business applications sometimes use scripts to download and launch installers.\r\nIntune name: js/vbs executing payload downloaded from Internet (no exceptions)\r\nConfiguration Manager name: Block JavaScript or VBScript from launching downloaded executable\r\ncontent\r\nGUID: d3e037e1-3eb8-44c8-a917-57927947596d\r\nAdvanced hunting action type:\r\nAsrScriptExecutableDownloadAudited\r\nAsrScriptExecutableDownloadBlocked\r\nDependencies: Microsoft Defender Antivirus, AMSI\r\nThis rule prevents Office apps, including Word, Excel, and PowerPoint, from being used as a vector to persist\r\nmalicious code on disk. Malware that abuses Office as a vector might attempt to save malicious components to\r\ndisk that would survive a computer reboot and persist on the system. This rule defends against this persistence\r\ntechnique by blocking access (open/execute) to the code written to disk. This rule also blocks execution of\r\nuntrusted files that might have been saved by Office macros that are allowed to run in Office files.\r\nIntune name: Office apps/macros creating executable content\r\nConfiguration Manager name: Block Office applications from creating executable content\r\nGUID: 3b576869-a4ec-4529-8536-b80a7769e899\r\nAdvanced hunting action type:\r\nAsrExecutableOfficeContentAudited\r\nAsrExecutableOfficeContentBlocked\r\nDependencies: Microsoft Defender Antivirus, RPC\r\nThis rule blocks code injection attempts from Office apps into other processes.\r\nNote\r\nThe Block applications from injecting code into other processes ASR rule don't support WARN mode.\r\nImportant\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 16 of 21\n\nThis rule requires restarting Microsoft 365 Apps (Office applications) for the configuration changes to take effect.\r\nAttackers might attempt to use Office apps to migrate malicious code into other processes through code injection,\r\nso the code can masquerade as a clean process. There are no known legitimate business purposes for using code\r\ninjection.\r\nThis rule applies to Word, Excel, OneNote, and PowerPoint.\r\nIntune name: Office apps injecting code into other processes (no exceptions)\r\nConfiguration Manager name: Block Office applications from injecting code into other processes\r\nGUID: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84\r\nAdvanced hunting action type:\r\nAsrOfficeProcessInjectionAudited\r\nAsrOfficeProcessInjectionBlocked\r\nDependencies: Microsoft Defender Antivirus\r\nKnown issues: These applications and \"Block Office applications from injecting code into other processes\" rule,\r\nare incompatible:\r\nApplication name For information\r\nAvecto (BeyondTrust) Privilege Guard September-2024 (Platform: 4.18.24090.11 |Engine 1.1.24090.11).\r\nHeimdal security n/a\r\nFor technical support, contact the software publisher.\r\nThis rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. This\r\nrule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in\r\nOutlook. It also protects against Outlook rules and forms exploits that attackers can use when a user's credentials\r\nare compromised.\r\nIntune name: Process creation from Office communication products (beta)\r\nConfiguration Manager name: Not available\r\nGUID: 26190899-1602-49e8-8b27-eb1d0a1ce869\r\nAdvanced hunting action type:\r\nAsrOfficeCommAppChildProcessAudited\r\nAsrOfficeCommAppChildProcessBlocked\r\nDependencies: Microsoft Defender Antivirus\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 17 of 21\n\nThis rule prevents malware from abusing WMI to attain persistence on a device.\r\nFileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic\r\nexecution control. Some threats can abuse the WMI repository and event model to stay hidden.\r\nNote\r\nIf you're utilizing Configuration Manager (CM, previously known as MEMCM or SCCM) with CcmExec.exe\r\n(SCCM Agent), we recommend running it in audit mode for at least 60 days. Once you're prepared to switch to\r\nblock mode, ensure you deploy the appropriate ASR rules, considering any necessary rule exclusions.\r\nIntune name: Persistence through WMI event subscription\r\nConfiguration Manager name: Not available\r\nGUID: e6db77e5-3df2-4cf1-b95a-636979351e5b\r\nAdvanced hunting action type:\r\nAsrPersistenceThroughWmiAudited\r\nAsrPersistenceThroughWmiBlocked\r\nDependencies: Microsoft Defender Antivirus, RPC\r\nThis rule blocks processes created through PsExec and WMI from running. Both PsExec and WMI can remotely\r\nexecute code. There's a risk of malware abusing functionality of PsExec and WMI for command and control\r\npurposes, or to spread an infection throughout an organization's network.\r\nWarning\r\nOnly use this rule if you're managing your devices with Intune or another MDM solution. This rule is\r\nincompatible with management through Microsoft Configuration Manager because this rule blocks WMI\r\ncommands the Configuration Manager client uses to function correctly.\r\nIntune name: Process creation from PSExec and WMI commands\r\nConfiguration Manager name: Not applicable\r\nGUID: d1e49aac-8f56-4280-b9ba-993a6d77406c\r\nAdvanced hunting action type:\r\nAsrPsexecWmiChildProcessAudited\r\nAsrPsexecWmiChildProcessBlocked\r\nDependencies: Microsoft Defender Antivirus\r\nThis rule prevents the execution of certain commands to restart machines in Safe Mode. In Safe Mode, many\r\nsecurity products are either disabled or operate in a limited capacity. This effect allows attackers to further launch\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 18 of 21\n\ntampering commands, or execute and encrypt all files on the machine. This rule blocks abuse of Safe Mode by\r\npreventing commonly abused commands like bcdedit and bootcfg from restarting machines in Safe Mode.\r\nSafe Mode is still accessible manually from the Windows Recovery Environment.\r\nIntune Name: Block rebooting machine in Safe Mode\r\nConfiguration Manager name: Not yet available\r\nGUID: 33ddedf1-c6e0-47cb-833e-de6133960387\r\nAdvanced hunting action type:\r\nAsrSafeModeRebootedAudited\r\nAsrSafeModeRebootBlocked\r\nAsrSafeModeRebootWarnBypassed\r\nDependencies: Microsoft Defender Antivirus\r\nWith this rule, admins can prevent unsigned or untrusted executable files from running from USB removable\r\ndrives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)\r\nImportant\r\nThis rule blocks files copied from the USB to the disk drive if and when it's about to be executed on the disk\r\ndrive.\r\nIntune name: Untrusted and unsigned processes that run from USB\r\nConfiguration Manager name: Block untrusted and unsigned processes that run from USB\r\nGUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4\r\nAdvanced hunting action type:\r\nAsrUntrustedUsbProcessAudited\r\nAsrUntrustedUsbProcessBlocked\r\nDependencies: Microsoft Defender Antivirus\r\nThis rule blocks the use of executable files that are identified as copies of Windows system tools. These files are\r\neither duplicates or impostors of the original system tools. Some malicious programs might try to copy or\r\nimpersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead\r\nto potential attacks. This rule prevents propagation and execution of such duplicates and impostors of the system\r\ntools on Windows machines.\r\nIntune Name: Block use of copied or impersonated system tools\r\nConfiguration Manager name: Not yet available\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 19 of 21\n\nGUID: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb\r\nAdvanced hunting action type:\r\nAsrAbusedSystemToolAudited\r\nAsrAbusedSystemToolBlocked\r\nAsrAbusedSystemToolWarnBypassed\r\nDependencies: Microsoft Defender Antivirus\r\nThis rule blocks web shell script creation on Microsoft Server, Exchange Role. A web shell script is a crafted\r\nscript that allows an attacker to control the compromised server.\r\nA web shell might include functionalities such as receiving and executing malicious commands, downloading and\r\nexecuting malicious files, stealing and exfiltrating credentials and sensitive information, and identifying potential\r\ntargets.\r\nIntune name: Block Webshell creation for Servers\r\nGUID: a8f5898e-1dc8-49a9-9878-85004b8a61e6\r\nDependencies: Microsoft Defender Antivirus\r\nNote\r\nWhen you manage ASR rules using Microsoft Defender for Endpoint security settings management, you need to\r\nconfigure the Block Webshell creation for Servers setting as Not Configured in Group Policy or other local\r\nsettings. If this rule is set to any other value (such as Enabled or Disabled ), it could cause conflicts and\r\nprevent the policy from applying correctly through security settings management.\r\nThis rule prevents VBA macros from calling Win32 APIs. Office VBA enables Win32 API calls. Malware can\r\nabuse this capability, such as calling Win32 APIs to launch malicious shellcode without writing anything directly\r\nto disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if\r\nthey use macros in other ways.\r\nIntune name: Win32 imports from Office macro code\r\nConfiguration Manager name: Block Win32 API calls from Office macros\r\nGUID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b\r\nAdvanced hunting action type:\r\nAsrOfficeMacroWin32ApiCallsAudited\r\nAsrOfficeMacroWin32ApiCallsBlocked\r\nDependencies: Microsoft Defender Antivirus, AMSI\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 20 of 21\n\nThis rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to\r\ndetermine whether a file resembles ransomware. This rule doesn't block files that have one or more of the\r\nfollowing characteristics:\r\nThe file is found to be unharmful in the Microsoft cloud.\r\nThe file is a valid signed file.\r\nThe file is prevalent enough to not be considered as ransomware.\r\nThe rule tends to err on the side of caution to prevent ransomware.\r\nIntune name: Advanced ransomware protection\r\nConfiguration Manager name: Use advanced protection against ransomware\r\nGUID: c1db55ab-c21a-4637-bb3f-a12568109d35\r\nAdvanced hunting action type:\r\nAsrRansomwareAudited\r\nAsrRansomwareBlocked\r\nDependencies: Microsoft Defender Antivirus, Cloud Protection\r\nAttack surface reduction rules deployment overview\r\nPlan attack surface reduction rules deployment\r\nTest attack surface reduction rules\r\nEnable attack surface reduction rules\r\nOperationalize attack surface reduction rules\r\nAttack surface reduction rules report\r\nAttack surface reduction rules reference\r\nExclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus\r\nTroubleshoot attack surface reduction rules\r\nSource: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worl\r\ndwide#block-execution-of-potentially-obfuscated-scripts\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts"
	],
	"report_names": [
		"attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446615,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f22d8bc05b9aa6066d3f610038ee493c8eecdd54.pdf",
		"text": "https://archive.orkl.eu/f22d8bc05b9aa6066d3f610038ee493c8eecdd54.txt",
		"img": "https://archive.orkl.eu/f22d8bc05b9aa6066d3f610038ee493c8eecdd54.jpg"
	}
}