• 5 min read
Mastering Microsoft Defender ASR with Atomic Techniques
Deep dive into Attack Surface Reduction rules, testing them with Atomic Red Team, and building comprehensive detection coverage in Splunk.
asr defender atomic-red-team detection splunk hardening
Originally published on the Splunk Security Blog
Read the full article: Mastering Microsoft Defender ASR
What is ASR?
Attack Surface Reduction (ASR) rules are a set of controls in Microsoft Defender that block common attack techniques. Think of them as surgical blocks for specific malicious behaviors.
Key ASR Rules
| Rule | What It Blocks |
|---|---|
| Block Office macros from creating child processes | Macro malware spawning PowerShell |
| Block Office from creating executable content | Droppers saving malware |
| Block credential stealing from LSASS | Mimikatz-style attacks |
| Block process creations from WMI | WMI-based lateral movement |
| Block untrusted processes from USB | USB-based attacks |
Testing with Atomic Red Team
Don’t just enable ASR—test it!
# Test Office macro child process block
Invoke-AtomicTest T1204.002 -TestNumbers 1
# Test credential access
Invoke-AtomicTest T1003.001 -TestNumbers 1ASR Rule States
- Disabled - Rule not active
- Audit - Logs but doesn’t block
- Block - Active protection
- Warn - User can override
Deployment Strategy
- Enable all rules in Audit mode
- Analyze logs for false positives
- Configure exclusions where needed
- Switch to Block mode
- Monitor continuously
Splunk Detection
ASR Events
index=windows source="WinEventLog:Microsoft-Windows-Windows Defender/*"
EventCode IN (1121, 1122, 1125, 1126)
| stats count by RuleName, ProcessName, PathASR Blocks Over Time
index=windows EventCode=1121
| timechart count by RuleNameASRGen Tool
I built ASRGen to help configure and test ASR rules.
Read the full guide: Mastering Microsoft Defender ASR
Related Modules
Active
ASRGEN
ASR Configurator, Essentials and Atomic Testing. Configure and test Attack Surface Reduction rules.
asr defender windows hardening +2