ASRGEN: Simplifying Attack Surface Reduction

Michael Haag
6 min readDec 1, 2023

--

I am thrilled to announce the formal release of a tool I’ve developed to assist defenders, researchers, and engineers of various fields. Microsoft’s Attack Surface Reduction (ASR) is a powerful feature that has been around for quite some time. There’s extensive discourse on its potential and the numerous blogs outlining ways to bypass it, highlighting the complexity and often cumbersome process of its deployment. The question that often arises is: Which ID is which? How do I test it?

ASRGEN is designed to streamline this process from start to finish. In this blog, we will cover the following:

  • Learn about ASR, including how to access and review logs, and understand their implications.
  • Enable ASR in one of three modes for enhanced flexibility.
  • Test your ASR policies to generate telemetry traces and ensure they’re functioning as intended.
  • 🔥 Effortlessly generate a Group Policy Object (GPO) with a touch of excitement. 🤩

I created ASRGEN out of necessity while navigating the ASR setup. Juggling the various IDs became a formidable challenge — a real pain in the neck. Which rule name corresponds to which ID? Does setting ‘1’ enable, audit, or warn? These questions became a thing of the past with ASRGEN.

Where to access it: https://asrgen.streamlit.app/

Repo: https://github.com/MHaggis/ASRGEN

ASRGEN

Most the action is on the streamlit.app site.

Let’s break down some of the features.

ASR Essentials

The core of my efforts has been centered on the manipulation of ASR through the Set-MPPreference cmdlet. The essential purpose of this tool is to facilitate a quicker understanding of ASR, offering a speedier reference guide compared to the extensive documentation provided by Microsoft (apologies to the documentarians, but there’s quite a bit to wade through). It’s designed to get users up to speed with ASR, enabling them to grasp its functions and features in a more direct and less time-consuming manner.

ASR Configurator

The Configurator is designed for swift generation of an ASR setup script using Set-MPPreference. What sets it apart is its point-and-click interface, which simplifies the entire process. Setting exclusions is remarkably straightforward—you can select one or many, choose the mode, or even opt to ‘Enable All’ with a single click. I've made a conscious effort to ensure that whenever an element requires copy-pasting, it is accompanied by the rule name alongside the ID. This is crucial because managing these IDs can be complex; keeping track of what each one represents can be an overwhelming task.

ASR Atomic testing

How can you be certain that it’s functioning? In developing ASRGEN, I incorporated tests for each ASR rule — currently featuring around seven. These tests encompass a variety of scenarios, including VBS scripts, macros, C++ programs, and more. They are all designed to give you peace of mind by ensuring that, upon application, the rules are active and effective to some extent. At the very least, you should see an event being generated, which is a clear indicator that the ASR rules are in action.

cpp

This LSASS ‘toucher’ is sufficiently generic to trigger an event when the rule is applied. To streamline the process, I’ve set up a Git workflow that automatically generates the binary when a release occurs. For ease of access, I’ve embedded the URL to the .exe file directly within the interface. Go ahead and give it a try!

Two more things: Group Policy

Initially, my aim was to use this tool in an isolated, lab-like environment to generate specific ASR events, rule by rule. The feedback was incredibly positive — this tool was a game-changer. However, many asked, “What about Group Policy Objects (GPO)?” Taking this into account, I embarked on some experimentation.

At first, I attempted to manipulate a GPO backup by modifying the registry.pol file directly. It quickly became apparent, though—this method was not viable; edited .pol files just wouldn't integrate back into Group Policy as intended.

That’s when I discovered the power of PowerShell. With it, you can conjure a new object, and, like magic, it appears among your Group Policy Objects!

And now, the real treat: No more wrestling with obscure IDs and values within the GP editor, no need to memorize which is which. You can simply select the rules you want to enable, specify the mode, and voilà — you can export a nifty PowerShell script to do the heavy lifting. Take a look:

First, let’s apply two ASR rules and create the Object.

Ok cool — the script:

Run it and voila! A new object awaits!

Yep, tested a lot

Once you apply the GPO to a OU, you’ll see it in the registry as you would expect:

Different policy, same idea though

Now, I have not tested this in production because my focus is on lab and research. Check it out — let me know how it goes for you!

Read a .pol

Finally, during my exploration of GPO backups, I stumbled upon a Python module called RegistryPol, which worked wonders! I decided to keep this feature accessible within the tool for anyone who might be interested in delving into a .pol file just for the sake of curiosity. Essentially, you can perform a GPO backup, probe into the registry.pol file, upload it, and the contents will be neatly unpacked for your review.

Closing Thoughts

This project has been an incredibly enjoyable journey, and I sincerely hope it proves to be a valuable asset for many. ASR represents a formidable line of defense, a key tool in our arsenal to thwart various threats. I’m indebted to all the brilliant minds who have explored ASR from both offensive and defensive perspectives; your insights have been immensely educational. While I’m aware that my ASR generator/tool isn’t the only one out there, I’m honored to contribute to this field. I warmly welcome pull requests or the opening of issues on GitHub — any input that can help improve this tool is greatly appreciated. Thank you all, and here’s to successful threat hunting!

Special thanks to Nasreddine Bencherchali for ideas, metal and reviewing.

--

--

Michael Haag

I write, sometimes, about InfoSec related topics and I love coffee.