IronSights

Detection & response

Attack Surface ReductionASR

A set of Microsoft Defender for Endpoint rules that block common attack techniques — such as Office macro execution of child processes, credential dumping, and malicious script execution — at the endpoint level.

Also known asASRASR rulesattack surface reduction rules

In plain English

ASR rules are pre-built guardrails in Windows that stop common attack techniques before they can do damage. They include blocking Office applications from spawning executable processes (a key ransomware delivery vector), preventing credential dumping from memory, and stopping scripts from running from suspicious locations.

Full definition

ASR rules ship inside and are toggled through or Group Policy. They target techniques attackers use repeatedly because they work: Office applications spawning child processes (a classic delivery path), credential dumping from LSASS memory, scripts executing from locations Windows considers suspicious. Each rule can run in audit mode first, so your IT team sees what would have been blocked before committing to enforcement.

These controls act before a payload executes. A lands, the user opens the Word attachment, the macro tries to launch PowerShell. With the right ASR rule enabled, that process spawn never happens. The ransomware never gets its foothold.

Most Australian SMEs running Business Premium already have the licensing to enable ASR rules. They rarely have them switched on. An IronSights Fortify deployment configures and monitors these rules as part of the endpoint hardening baseline, mapping directly onto Mitigation Strategy 3 (application control) within the framework.

Keep learning

More terms in the IronSights Glossary.