MDE-ASR-Rules-Overview.md

No	Attack Surface Reduction Rule Name	GUID	Advanced Hunting Action Type (Audited)	Advanced Hunting Action Type (Blocked)
1	Block Adobe Reader from creating child processes	7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c	AsrAdobeReaderChildProcessAudited	AsrAdobeReaderChildProcessBlocked
2	Block JavaScript or VBScript from launching downloaded executable content	d3e037e1-3eb8-44c8-a917-57927947596d	AsrScriptExecutableDownloadAudited	AsrScriptExecutableDownloadBlocked
3	Block Office applications from creating executable content	3b576869-a4ec-4529-8536-b80a7769e899	AsrExecutableOfficeContentAudited	AsrExecutableOfficeContentBlocked
4	Block Office applications from injecting code into other processes	75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84	AsrOfficeProcessInjectionAudited	AsrOfficeProcessInjectionBlocked
5	Block Office communication application from creating child processes	26190899-1602-49e8-8b27-eb1d0a1ce869	AsrOfficeCommAppChildProcessAudited	AsrOfficeCommAppChildProcessBlocked
6	Block Win32 API calls from Office macros	92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b	AsrOfficeMacroWin32ApiCallsAudited	AsrOfficeMacroWin32ApiCallsBlocked
7	Block abuse of exploited vulnerable signed drivers ENABLE by default	56a863a9-875e-4185-98a7-b882c64b5ce5	AsrVulnerableSignedDriverAudited	AsrVulnerableSignedDriverBlocked
8	Block all Office applications from creating child processes	d4f940ab-401b-4efc-aadc-ad5f3c50688a	AsrOfficeChildProcessAudited	AsrOfficeChildProcessBlocked
9	Block credential stealing from the Windows local security authority subsystem (lsass.exe) ENABLE by default	9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2	AsrLsassCredentialTheftAudited	AsrLsassCredentialTheftBlocked
10	Block executable content from email client and webmail	be9ba2d9-53ea-4cdc-84e5-9b1eeee46550	AsrExecutableEmailContentAudited	AsrExecutableEmailContentBlocked
11	Block executable files from running unless they meet a prevalence, age, or trusted list criterion	01443614-cd74-433a-b99e-2ecdc07bfc25	AsrUntrustedExecutableAudited	AsrUntrustedExecutableBlocked
12	Block execution of potentially obfuscated scripts	5beb7efe-fd9a-4556-801d-275e5ffc04cc	AsrObfuscatedScriptAudited	AsrObfuscatedScriptBlocked
13	Block persistence through WMI event subscription ENABLE by default	e6db77e5-3df2-4cf1-b95a-636979351e5b	AsrPersistenceThroughWmiAudited	AsrPersistenceThroughWmiBlocked
14	Block process creations originating from PSExec and WMI commands DO NOT ENABLE IF USING SCCM/Co-Mgmt ... see (1) below	d1e49aac-8f56-4280-b9ba-993a6d77406c	AsrPsexecWmiChildProcessAudited	AsrPsexecWmiChildProcessBlocked
15	Block untrusted and unsigned processes that run from USB	b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4	AsrUntrustedUsbProcessAudited	AsrUntrustedUsbProcessBlocked
16	Use advanced protection against ransomware	c1db55ab-c21a-4637-bb3f-a12568109d35	AsrRansomwareAudited	AsrRansomwareBlocked
17	Block Webshell creation for Servers	a8f5898e-1dc8-49a9-9878-85004b8a61e6	Unknown	Unknown
18	PREVIEW - Block rebooting machine in Safe Mode	33ddedf1-c6e0-47cb-833e-de6133960387	AsrSafeModeRebootedAudited	AsrSafeModeRebootBlocked
19	PREVIEW - Block use of copied or impersonated system tools	c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb	AsrAbusedSystemToolAudited /AsrCustomRuleAudited	AsrAbusedSystemToolBlocked

Source https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#per-rule-descriptions

(1) https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands