ASR Rule Inspector: Verify Attack Surface Reduction Rules in Microsoft Defender

By /

Listen to this Post

Microsoft Defender’s Attack Surface Reduction (ASR) rules are critical for blocking malicious activities, but misconfigurations can leave gaps. Roy Klooster’s ASR Rule Inspector PowerShell script validates your ASR rules’ enforcement status and provides a clear overview.

Blog: ASR Rule Inspector Blog
GitHub: ASR Rule Inspector Script

You Should Know: PowerShell Commands to Audit ASR Rules

1. Check ASR Rule Status

Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

Lists all ASR rule GUIDs and their actions (0=Disabled, 1=Block, 2=Audit).

#### **2. Enable ASR Rule Enforcement**

Set-MpPreference -AttackSurfaceReductionRules_Ids <RuleGUID> -AttackSurfaceReductionRules_Actions Enabled

Replace `` with the ASR rule ID (e.g., `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` for Block Office macros).

#### **3. Export ASR Rules to CSV**

Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions | Export-Csv -Path "C:\ASR_Report.csv" -NoTypeInformation

#### **4. Verify ASR Audit Logs**

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.Id -eq 1121 } | Format-List

*Filters Defender logs for ASR rule triggers.*

#### **5. Compare ASR Policies Across Machines**

Invoke-Command -ComputerName (Get-Content "servers.txt") -ScriptBlock { Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions }

### **What Undercode Say**

ASR rules are a frontline defense against ransomware and script-based attacks. Use the ASR Rule Inspector to:
– Validate rules are actually blocking (not just auditing).
– Detect Group Policy conflicts overriding local settings.
– Automate audits with scheduled PowerShell scripts.

**Bonus Linux Command for Cross-Platform Admins**:

grep -i "microsoft_defender" /var/log/syslog | grep "ASR"

Parses logs for Defender ASR events on Linux systems with MDATP.

**Windows Event ID Cheatsheet**:

  • 1121: ASR rule triggered.
  • 5007: Defender policy change.

**Expected Output**:

Rule GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Status: Enabled (Block) 
Rule GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Status: Disabled

References:

Reported By: Roy Klooster – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: