Securing Your Environment with ASR Rules

ASR Rule for Blocking Attacks

Question

Which selection is an ASR (attack surface reduction) rule that can be implemented and can be blocked?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: C.

Option A is incorrect.

This is not an ASR rule that can be implemented and cannot be blocked.

Option B is incorrect.

.ps1 execution cannot be blocked with an ASR rule.

Option C is correct.

This is an ASR rule that can be implemented and can be blocked.

Reference:

The correct answer is C. Process creations initiating from WMI and PSExec commands.

Attack Surface Reduction (ASR) rules are a set of built-in rules in Windows Defender Exploit Guard that can help to prevent attacks by reducing the attack surface available to an attacker. These rules can be implemented to block or audit suspicious behavior on a device.

Option A, "Content from mobile devices," is not an ASR rule. Instead, it is a data protection feature that can be implemented using Microsoft Endpoint Manager to restrict access to content on mobile devices.

Option B, "PowerShell from executing," is also not an ASR rule. However, it is a mitigation technique that can be used to prevent attackers from using PowerShell to carry out malicious activities on a system.

Option C, "Process creations initiating from WMI and PSExec commands," is an ASR rule that can be implemented to block malicious activity. This rule can be used to prevent attackers from using WMI (Windows Management Instrumentation) and PSExec (a tool used to execute commands on remote systems) to create new processes and execute code on a target system. By blocking these commands, organizations can reduce the attack surface available to attackers and prevent them from using these tools to spread malware or carry out other malicious activities.

Option D, "None of the above," is not the correct answer, as option C is a valid ASR rule that can be implemented and can be blocked.