title: Microsoft Defender for Endpoint attack surface reduction rules demonstrations description: See how attack surface reduction rules block various known threat types. search.appverid: met150 ms.service: defender-endpoint ms.author: lwainstein author: limwainstein ms.reviewer: yongrhee ms.localizationpriority: medium manager: bagol audience: ITPro ms.collection:

m365-security
tier2
demo ms.topic: how-to ms.subservice: asr ms.date: 03/10/2025 appliesto:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
- Microsoft Defender Antivirus
- Microsoft 365 Apps

Attack surface reduction rules demonstrations

Attack surface reduction rules target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:

Executable files and scripts used in Office apps or web mail that attempt to download or run files
Scripts that are obfuscated or otherwise suspicious
Behaviors that apps undertake that aren't initiated during normal day-to-day work

Prerequisites

Windows client devices must be running Windows 11, Windows 10 1709 build 16273, or later
Windows server devices must be running Windows Server 2012 R2 and later (with the Functionality in the modern unified solution)
Azure Stack HCI OS, version 23H2 and later.

Setup

Download attack surface reduction PowerShell scripts

PowerShell commands

Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 33ddedf1-c6e0-47cb-833e-de6133960387 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb -AttackSurfaceReductionRules_Actions Enabled

Rule states

State	Mode	Numeric value
Disabled	= Off	0
Enabled	= Block mode	1
Audit	= Audit mode	2

Verify configuration

Get-MpPreference

Test files

Note - some test files have multiple exploits embedded and triggers multiple rules

Rule name	Rule GUID
Block executable content from email client and webmail	BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes	D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content	3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes	75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Impede JavaScript and VBScript to launch executables	D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts	5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office	92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
{Block Process Creations originating from PSExec & WMI commands	D1E49AAC-8F56-4280-B9BA-993A6D77406C
Block Execution of untrusted or unsigned executables inside removable USB media	B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4
Aggressive Ransomware Prevention	C1DB55AB-C21A-4637-BB3F-A12568109D35
Block executable files from running unless they meet a prevalence, age, or trusted list criteria	01443614-CD74-433A-B99E-2ECDC07BFC25
Block Adobe Reader from creating child processes	7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block abuse of exploited vulnerable signed drivers	56a863a9-875e-4185-98a7-b882c64b5ce5
Block credential stealing from the Windows local security authority subsystem (lsass.exe)	9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block persistence through WMI event subscription	e6db77e5-3df2-4cf1-b95a-636979351e5b
Block Webshell creation for Servers	a8f5898e-1dc8-49a9-9878-85004b8a61e6
Block rebooting machine in Safe Mode (preview)	33ddedf1-c6e0-47cb-833e-de6133960387
Block use of copied or impersonated system tools (preview)	c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb

Scenarios

Setup

Download and run this setup script. Before running the script set execution policy to Unrestricted using this PowerShell command:

Set-ExecutionPolicy Unrestricted

You can perform these manual steps instead:

Create a folder under c: named demo, "c:\demo"
Save this clean file into c:\demo.
Enable all rules using the PowerShell command.

Scenario 1: Attack surface reduction blocks a test file with multiple vulnerabilities

Enable all rules in block mode using the PowerShell commands (you can copy paste all)
Download and open any of the test file/documents, and enable editing and content, if prompted.

Scenario 1 expected results

You should immediately see an "Action blocked" notification.

Scenario 2: ASR rule blocks the test file with the corresponding vulnerability

Configure the rule you want to test using the PowerShell command from the previous step.

Example: Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Download and open the test file/document for the rule you want to test, and enable editing and content, if prompted.

Example: Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Scenario 2 expected results

You should immediately see an "Action blocked" notification.

Scenario 3 (Windows 10 or later): ASR rule blocks unsigned USB content from executing

Configure the rule for USB protection (B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4).

Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled

Download the file and put it on a USB stick and execute it Block Execution of untrusted or unsigned executables inside removable USB media

Scenario 3 expected results

You should immediately see an "Action blocked" notification.

Scenario 4: What would happen without attack surface reduction

Turn off all attack surface reduction rules using PowerShell commands in the cleanup section.
Download any test file/document, and enable editing and content, if prompted.

Scenario 4 expected results

The files in c:\demo are encrypted and you should get a warning message
Execute the test file again to decrypt the files

Clean-up

Download and run this clean-up script

Alternately, you can perform these manual steps:

Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 33ddedf1-c6e0-47cb-833e-de6133960387 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb -AttackSurfaceReductionRules_Actions Disabled

Clean up c:\demo encryption by running the encrypt/decrypt file.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Attack surface reduction rules demonstrations

Prerequisites

Setup

PowerShell commands

Rule states

Verify configuration

Test files

Scenarios

Setup

Scenario 1: Attack surface reduction blocks a test file with multiple vulnerabilities

Scenario 1 expected results

Scenario 2: ASR rule blocks the test file with the corresponding vulnerability

Scenario 2 expected results

Scenario 3 (Windows 10 or later): ASR rule blocks unsigned USB content from executing

Scenario 3 expected results

Scenario 4: What would happen without attack surface reduction

Scenario 4 expected results

Clean-up

See also

FilesExpand file tree

defender-endpoint-demonstration-attack-surface-reduction-rules.md

Latest commit

History

defender-endpoint-demonstration-attack-surface-reduction-rules.md

File metadata and controls

Attack surface reduction rules demonstrations

Prerequisites

Setup

PowerShell commands

Rule states

Verify configuration

Test files

Scenarios

Setup

Scenario 1: Attack surface reduction blocks a test file with multiple vulnerabilities

Scenario 1 expected results

Scenario 2: ASR rule blocks the test file with the corresponding vulnerability

Scenario 2 expected results

Scenario 3 (Windows 10 or later): ASR rule blocks unsigned USB content from executing

Scenario 3 expected results

Scenario 4: What would happen without attack surface reduction

Scenario 4 expected results

Clean-up

See also