Listen to this Post
Microsoft Defender XDR has introduced a new Attack Surface Reduction (ASR) rule—”Block execution of files related to Remote Monitoring & Management (RMM) tools”—though it hasn’t been officially documented yet. This rule aims to prevent unauthorized RMM tool usage, reducing risks from threat actors exploiting tools like TeamViewer, AnyDesk, and other remote access software.
You Should Know:
- How to Check & Enable the ASR Rule
– Navigate to:
https://security.microsoft.com/asr?viewid=detections
– Filter rules to “All” to locate the new rule.
2. PowerShell Command to Enable ASR Rules
Use this PowerShell command to enable ASR rules (replace GUID with the new rule’s ID once available):
Set-MpPreference -AttackSurfaceReductionRules_Ids <RULE-GUID> -AttackSurfaceReductionRules_Actions Enabled
3. Verify ASR Rule Status
Check current ASR rule status via PowerShell:
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
4. Exclude Trusted RMM Tools (If Needed)
If your org uses approved RMM tools, exclude them via:
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<PathToRMMTool>"
5. Monitor ASR Rule Detections
Check Defender logs for ASR-triggered events:
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.Id -eq 1121 }
6. Linux Equivalent (For Hybrid Environments)
If managing Linux systems, use auditd to monitor RMM tool executions:
sudo auditctl -w /usr/bin/teamviewer -p x -k rmm_block
Check logs with:
sudo ausearch -k rmm_block | aureport -f -i
- Windows Firewall Rule to Block RMM Traffic
Block outgoing RMM connections via PowerShell:
New-NetFirewallRule -DisplayName "Block RMM Tools" -Direction Outbound -Program "C:\Path\To\RMM-Tool.exe" -Action Block
What Undercode Say:
Microsoft’s move to block unauthorized RMM tools is a strong step toward Zero Trust, preventing attackers from leveraging legitimate tools for lateral movement. However, organizations must:
– Test the rule in Audit Mode first before enforcement.
– Maintain an exclusion list for approved remote management tools.
– Monitor logs for false positives.
For defenders, combining ASR rules with firewall restrictions and endpoint monitoring (via Defender for Endpoint or SIEM) ensures layered protection against RMM abuse.
Prediction:
As attackers increasingly abuse RMM tools, expect more vendors to enforce default-deny policies for remote access software, pushing organizations toward VPN-less, identity-based remote access solutions like Azure AD Conditional Access.
Expected Output:
- ASR rule logs in Defender XDR.
- Blocked RMM tool executions in security logs.
- Reduced attack surface from RMM-based intrusions.
Relevant URLs:
References:
Reported By: Wjpvandenheuvel Microsoftsecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
