In this post, we’ll see how we can configure Windows Defender Exploit Guard feature Attack Surface Reduction using Microsoft Intune.

Windows Defender Exploit Guard is a new set of intrusion prevention capabilities that ships with the Windows 10 Fall Creators Update. There are four components of Windows Defender Exploit Guard which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements.

The four components of Windows Defender Exploit Guard are:

  1. Attack Surface Reduction (ASR)
  2. Network protection
  3. Controlled folder access
  4. Exploit protection

Attack Surface Reduction provides a set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured
  3. Seamless Single Sign-On (IE) configured
  4. Seamless Single Sign-On (Firefox) configured
  5. Hybrid Azure AD Join configured
  6. Intune enrollment – Domain Joined Windows 10 devices
  7. Azure AD Join
  8. Office 365 Pro Plus Application
  9. Sample SharePoint Team Site
  10. OneDrive Known Folder Migration and SharePoint library sync
  11. Copy necessary files (Win32 App)
  12. Set Desktop Background, Lock Screen and Screensaver
  13. Adding applications to StartUp folder
  14. Adding some 3rd Party applications (Browsers)
  15. Microsoft Store for Business configuration and integration and Store Apps.
  16. Windows Defender Application Guard configuration
  17. Extend Application Guard to Mozilla Firefox and Google Chrome
  18. Configure Windows Defender Antivirus
  19. Windows Defender Credential Guard

Existing setup:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
  8. SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
  9. SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
  10. SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
  11. SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)

Some work:

Create a folder in C Drive with the Name Demo.

Copy the testing files from URL: https://demo.wd.microsoft.com/?ocid=cx-wddocs-testground

You can see that I have copied and extracted the ASR related files in Lab folder which was created earlier.

Copy the XML file text from the URL: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/event-views

These are custom event rules for Exploit Guard.

Put the XML files in a folder as shown above.

Search for Event Viewer and open it.

Click on Import Custom View….

Select the first XML and click Open.

Click OK.

You can see that the custom view is added.

Repeat for other XML files

Custom view after all XML files are imported.

Create Exploit Guard Policy

Navigate to Intune -> Device configuration -> Profiles. Click on +Create profile.

Enter appropriate Name and Description. I have entered:

Name: Win 10 WDEG Policy

Description: Windows 10 : Windows Defender Exploit Guard Policy

In Platform, select Windows 10 and later.

In Profile type, select Endpoint protection.

Click on Microsoft Defender Exploit Guard.

In Microsoft Defender Exploit Guard window, click on Attack Surface Reduction.

Configure appropriate settings and click OK.

We can check the article for configuring the settings:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction

Note: I have not configured Flag credential stealing from the Windows local security authority subsystem setting because I am going to deploy this policy where Credential Guard is already deployed.

Click OK.

Click OK.

Click Create.

Select appropriate group.

As I want to test Exploit Guard on a specific machine, I have selected the above created group. After selecting the group, click Save.

In Client machine

Sync the device

After sync is successful, you can check the policy status in Portal.

In Client machine again:

Open Event Viewer.

Navigate to Applications and Services Logs -> Microsoft -> Windows -> Windows Defender.

Clear both the logs.

Scenario 1: Block Office applications from creating child processes

Navigate to the folder where you have downloaded and extracted the ASR test files.

Double click on TestFile_OfficeChildProcess_D4F940AB-401B-4EFC-AADC-AD5F3C50688A.

Read the scenario text. Click on Enable Content.

We can see an Action Blocked notification.

We can also see an Error.

We can close the file now.

Open Event Viewer and navigate to Custom Views -> Attack Surface Reduction view.

Check the warning event generated.

Scenario 2: Block Office applications from creating executable content

Navigate to the folder where you have downloaded and extracted the ASR test files.

Double click on TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.

Read the scenario test and click Enable Content.

We can see a Ransomware found notification.

We can close the file now.

Open Event Viewer and navigate to Custom Views -> Attack Surface Reduction view.

Check the warning event generated.

Scenario 3: Impede JavaScript and VBScript to launch executables

Navigate to the folder where you have downloaded and extracted the ASR test files.

Double click on TestFile_Impede_JavaScript_and_VBScript_to_launch_executables_D3E037E1-3EB8-44C8-A917-57927947596D.

We can see an Action blocked notification.

We can see that script execution resulted in an error.

We can close the file now.

Open Event Viewer and navigate to Custom Views -> Attack Surface Reduction view.

Check the warning event generated.

Scenario 4: Block Win32 imports from Macro code in Office

Navigate to the folder where you have downloaded and extracted the ASR test files.

Double click on Block_Win32_imports_from_Macro_code_in_Office_92E97FA1-2EDF-4476BDD6-9DD0B4DDDC7B.

Read the scenario text and click Enable Content.

We can see an Action blocked notification.

We can see suspicious Macros Detected warning.

We can close the file now.

Open Event Viewer and navigate to Custom Views -> Attack Surface Reduction view.

Check the warning event generated.

Scenario 5: Block Process Creations originating from PSExec & WMI commands

Navigate to the folder where you have downloaded and extracted the ASR test files.

Double click on TestFile_PsexecAndWMICreateProcess_D1E49AAC-8F56-4280-B9BA-993A6D77406C.

We can see that the script is trying to execute notepad. Click OK.

We can see an Action blocked notification.

We can a message that method return result = 2.

We can close the file now.

We can see that ID of new process is empty. Click OK.

Open Event Viewer and navigate to Custom Views -> Attack Surface Reduction view.

Check the warning event generated.

Done.

Leave a comment

Your email address will not be published. Required fields are marked *