Back to GSO Recommendations

Windows Attack Surface Reduction: Macro, Script and Credential Theft Protection

Why this risk matters

Attack Surface Reduction (ASR) rules are a set of Microsoft Defender controls that block specific attack techniques commonly used in malware, ransomware, and post-compromise activity. Unlike signature-based antivirus detection, ASR rules block entire classes of behaviour — macros that spawn child processes, scripts that download payloads, Office applications accessing credential stores, and similar techniques — regardless of whether the specific threat has been seen before.

The most impactful ASR rules target the techniques used in the vast majority of real-world attacks: document-based macro payloads, living-off-the-land script execution via PowerShell and WMI, credential theft from LSASS, and lateral movement via PsExec. Blocking these at the behaviour level rather than relying on detection after execution significantly reduces the blast radius of a phishing-delivered payload or a compromised endpoint.

ASR rules are managed through Intune and can be deployed in audit mode before enforcement, making it straightforward to assess impact before blocking anything.

What happens if this is abused

  • Macro-enabled Office documents delivered via phishing execute payloads without any detection if signature-based defences haven't seen the specific malware variant
  • Scripts (PowerShell, VBScript, JavaScript) can download and execute additional payloads from attacker-controlled infrastructure
  • LSASS credential dumping tools like Mimikatz can extract cached credentials from memory, enabling lateral movement to other accounts and systems
  • Living-off-the-land techniques use legitimate Windows tools (certutil, mshta, wscript) to execute attacker code with no malware binary to detect
  • PsExec and similar remote execution tools can be used for lateral movement once an initial endpoint is compromised
  • Ransomware delivery chains frequently depend on exactly these techniques and are substantially disrupted by ASR enforcement

When this is expected or acceptable

ASR rules can cause false positives in environments that rely on legacy macros or administrative scripts. Key considerations:

  • Legacy Office macros used for legitimate business processes (e.g. finance spreadsheet automation, ERP integrations) may be blocked by ASR rules targeting macro behaviour — audit mode will surface these before enforcement
  • IT administrative scripts that use PowerShell or WMI extensively may be affected by some rules — exclusions can be configured at the file or folder level for known-good admin tooling
  • ASR rules should always be deployed in Audit mode first, with a review period of at least 7–14 days, before switching to Block mode

Checks to perform before taking action

  • In Intune, check whether any ASR rules are currently configured and in what mode (audit or block)
  • In Microsoft Defender, review the ASR audit events report to see which rules would trigger most frequently in your environment
  • Prioritise the highest-value ASR rules for initial enforcement: Block Office apps from creating child processes, Block credential stealing from LSASS, Block execution of potentially obfuscated scripts, Block abuse of exploited vulnerable signed drivers
  • Identify any legitimate macro-heavy applications or admin scripts that may trigger false positives and plan exclusions before enforcement
  • Communicate with end users in affected departments about the planned changes and the audit period

Safe remediation steps

  1. Create an ASR policy in Intune (Endpoint security > Attack surface reduction > Create policy > Windows > Attack surface reduction rules)
  2. Set all rules to Audit mode initially
  3. Assign to a pilot group of devices first and review audit events in Defender for Endpoint over 7–14 days
  4. Identify and configure exclusions for any legitimate applications triggering false positives
  5. Switch high-confidence rules to Block mode (starting with: Block Office apps from creating child processes, Block credential stealing from LSASS, Block execution of obfuscated scripts)
  6. Gradually switch remaining rules to Block mode, reviewing audit events between each change
  7. Monitor for new false positives after enforcement and add targeted exclusions as needed

Supporting documentation

Microsoft: Attack surface reduction rules reference

Microsoft: ASR rules deployment overview

Microsoft: Manage attack surface reduction policies in Intune

Related risks and follow-on checks

After enforcing this control, review these related areas:

  • Windows Defender Protection — ASR rules work alongside Defender AV and Defender for Endpoint; ensure the broader Defender configuration is also reviewed
  • Open Defender Incidents — monitor Defender XDR for incidents triggered by ASR rule blocks, particularly in the first weeks after enforcement
  • Windows Office Macro Security — ASR rules and macro security settings are complementary; review macro policy alongside ASR deployment
  • Phishing URL Clicked — ASR rules block many of the payload execution techniques used after a phishing link is clicked; the two controls work in sequence
TBD CTA