Analytics Story: Windows Attack Surface Reduction

Date: 2023-11-27 ID: 1d61c474-3cd6-4c23-8c68-f128ac4b209b Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.

Why it matters

This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Defender ASR Audit Events Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link Anomaly
Windows Defender ASR Block Events Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link Anomaly
Windows Defender ASR Registry Modification Modify Registry Hunting
Windows Defender ASR Rule Disabled Modify Registry TTP
Windows Defender ASR Rules Stacking Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Windows Event Log Defender 1121 Windows icon Windows xmlwineventlog WinEventLog:Microsoft-Windows-Windows Defender/Operational
Windows Event Log Defender 1122 Windows icon Windows xmlwineventlog WinEventLog:Microsoft-Windows-Windows Defender/Operational
Windows Event Log Defender 1129 Windows icon Windows xmlwineventlog WinEventLog:Microsoft-Windows-Windows Defender/Operational
Windows Event Log Defender 5007 Windows icon Windows xmlwineventlog WinEventLog:Microsoft-Windows-Windows Defender/Operational

References

Source: GitHub | Version: 1