2 NEW ASR rules hit GA for Defender for Endpoint 🔥
Microsoft has introduced two new Attack Surface Reduction (ASR) rules designed to address common attacker techniques that often bypass traditional defenses. These rules focus on preventing machine reboots into Safe Mode—where many security controls are limited—and blocking the use of copied or impersonated Windows system tools commonly leveraged in privilege escalation and evasion.
This post outlines the purpose, configuration details, and security impact of each rule.
Block rebooting machine in Safe Mode
This rule prevents the execution of commands to restart machines in Safe Mode. Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.
Intune Name: Block rebooting machine in Safe Mode
Configuration Manager name: Not yet available
GUID: 33ddedf1-c6e0-47cb-833e-de6133960387
Advanced hunting action type:
AsrSafeModeRebootedAuditedAsrSafeModeRebootBlockedAsrSafeModeRebootWarnBypassed
Dependencies: Microsoft Defender Antivirus
Block use of copied or impersonated system tools
This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. Some malicious programs might try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and impostors of the system tools on Windows machines.
Intune Name: Block use of copied or impersonated system tools
Configuration Manager name: Not yet available
GUID: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb
Advanced hunting action type:
AsrAbusedSystemToolAuditedAsrAbusedSystemToolBlockedAsrAbusedSystemToolWarnBypassed
Dependencies: Microsoft Defender Antivirus
Want to learn more?
Attack surface reduction rules reference - Microsoft Defender for Endpoint | Microsoft Learn
Follow me on LinkedIn:
#MicrosoftDefender #EndpointSecurity #AttackSurfaceReduction #WindowsSecurity #ASRRules #ThreatProtection #CyberSecurity #ModernWorkplaceSecurity #DefenderForEndpoint #MicrosoftSecurity #Microsoft