Enable ‘Block abuse of exploited vulnerable signed drivers’ in a jiffy using PowerShell and ConfigMgr

Introduction

I find this highly relevant to share at this day. Especially in regards to yesterday’s ‘false positive’ situation, where a lot of system admins got a good scare, when Defender for Endpoint reported that “Suspicious ‘PowEmotet’ behavior was blocked’ on a high percentage of the enrolled devices.

What I really mean by this, is that when you have the option to reduce the attack surface of your environment, you should look into doing so ASAP.

Let’s say yesterdays situation was real, and you for whatever reason didn’t have behavior monitoring enabled in Microsoft Defender Antivirus. You would regret that pretty soon after being hit, when you realize that it could have been prevented.

Same goes for above. Rather look into enabling this new ASR (Attack Surface Reduction) rule today, rather than later after being compromised.

Attack Surface Reduction

The ASR rule in question is this: Attack surface reduction rules | Microsoft Docs and as noted, the rule with an GUID of 56a863a9-875e-4185-98a7-b882c64b5ce5 is not yet available in neither ConfigMgr nor Intune.

This means, you will have to use PowerShell or OMA-URI in order to configure the rule today. I’ve chosen to use PowerShell:

Enable

Set-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled

Disable

Set-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Disabled

ConfigMgr

To use above with Configuration Manager, you simply create an old school package, without source files and a program like so:

powershell.exe -Command "Set-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled"

Did it work?

The following event log: Microsoft-Windows-Windows Defender/Operational will reveal when changes to the Defender configuration is being made. When the ASR rule is being enabled, you will se the value go from 0 to 1 like below illustration:

You can also run the Get-MpPreference cmdlet:

Grab the AttackSurfaceReductionRules in a more readable format like so:

Get-MpPreference | select attacksurfacereductionrules_ids -ExpandProperty attacksurfacereductionrules_ids

When enabled, you will find the GUID on the list as illustrated below:

ENJOY 🙂

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.