noid-privacy/Modules/ASR/Config/ASR-Rules.json

[
    {
        "Name": "Block abuse of exploited vulnerable signed drivers",
        "GUID": "56a863a9-875e-4185-98a7-b882c64b5ce5",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": [],
        "Description": "Prevents applications from writing vulnerable signed drivers to disk"
    },
    {
        "Name": "Block Adobe Reader from creating child processes",
        "GUID": "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": [],
        "Description": "Blocks Adobe Reader from creating processes to prevent malware spread"
    },
    {
        "Name": "Block all Office applications from creating child processes",
        "GUID": "d4f940ab-401b-4efc-aadc-ad5f3c50688a",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": [],
        "Description": "Blocks Office apps from creating child processes to prevent malware execution"
    },
    {
        "Name": "Block credential stealing from LSASS",
        "GUID": "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": ["Produces high volume of events - safe to ignore most blocks", "Not required if LSA Protection enabled"],
        "Description": "Locks down LSASS to prevent credential theft (Mimikatz protection)"
    },
    {
        "Name": "Block executable content from email client and webmail",
        "GUID": "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": [],
        "Description": "Blocks executable files from being launched from Outlook/webmail"
    },
    {
        "Name": "Block executable files unless they meet prevalence, age, or trusted list",
        "GUID": "01443614-cd74-433a-b99e-2ecdc07bfc25",
        "Action": 1,
        "BaselineStatus": "Missing",
        "RequiresCloudProtection": true,
        "Warnings": ["Requires cloud-delivered protection", "May block legitimate software - test thoroughly"],
        "Description": "Blocks untrusted or unknown executable files based on reputation"
    },
    {
        "Name": "Block execution of potentially obfuscated scripts",
        "GUID": "5beb7efe-fd9a-4556-801d-275e5ffc04cc",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": true,
        "Warnings": ["Requires cloud-delivered protection"],
        "Description": "Detects and blocks suspicious properties in obfuscated scripts (JS/VBS/PS)"
    },
    {
        "Name": "Block JavaScript or VBScript from launching downloaded executable content",
        "GUID": "d3e037e1-3eb8-44c8-a917-57927947596d",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": [],
        "Description": "Prevents scripts from launching potentially malicious downloaded content"
    },
    {
        "Name": "Block Office applications from creating executable content",
        "GUID": "3b576869-a4ec-4529-8536-b80a7769e899",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": [],
        "Description": "Prevents Office from saving malicious components to disk for persistence"
    },
    {
        "Name": "Block Office applications from injecting code into other processes",
        "GUID": "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": ["Requires restarting Office applications after configuration"],
        "Description": "Blocks code injection from Office apps into other processes"
    },
    {
        "Name": "Block Office communication application from creating child processes",
        "GUID": "26190899-1602-49e8-8b27-eb1d0a1ce869",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": [],
        "Description": "Prevents Outlook from creating child processes (social engineering protection)"
    },
    {
        "Name": "Block persistence through WMI event subscription",
        "GUID": "e6db77e5-3df2-4cf1-b95a-636979351e5b",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": ["If using SCCM (CcmExec.exe), audit for 60 days first"],
        "Description": "Prevents malware from abusing WMI to attain persistence"
    },
    {
        "Name": "Block process creations from PSExec and WMI commands",
        "GUID": "d1e49aac-8f56-4280-b9ba-993a6d77406c",
        "Action": 1,
        "BaselineStatus": "Audit",
        "RequiresCloudProtection": false,
        "Warnings": ["INCOMPATIBLE with SCCM/Configuration Manager", "Security Baseline uses Audit mode", "Only enable Block if NOT using SCCM"],
        "Description": "Blocks processes created through PsExec and WMI (lateral movement protection)"
    },
    {
        "Name": "Block rebooting machine in Safe Mode",
        "GUID": "33ddedf1-c6e0-47cb-833e-de6133960387",
        "Action": 1,
        "BaselineStatus": "Missing",
        "RequiresCloudProtection": false,
        "Warnings": ["New rule (2024) - not yet in TVM"],
        "Description": "Blocks commands to restart machines in Safe Mode (ransomware protection)"
    },
    {
        "Name": "Block untrusted and unsigned processes that run from USB",
        "GUID": "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": [],
        "Description": "Prevents unsigned/untrusted executables from running from USB drives"
    },
    {
        "Name": "Block use of copied or impersonated system tools",
        "GUID": "c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb",
        "Action": 1,
        "BaselineStatus": "Missing",
        "RequiresCloudProtection": false,
        "Warnings": ["New rule (2024) - not yet in TVM"],
        "Description": "Blocks executables identified as copies/impostors of Windows system tools"
    },
    {
        "Name": "Block Webshell creation for Servers",
        "GUID": "a8f5898e-1dc8-49a9-9878-85004b8a61e6",
        "Action": 1,
        "BaselineStatus": "Missing",
        "RequiresCloudProtection": false,
        "Warnings": ["New rule (2024) - not yet in TVM", "Server-focused but safe on clients"],
        "Description": "Blocks web shell script creation on servers"
    },
    {
        "Name": "Block Win32 API calls from Office macros",
        "GUID": "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": false,
        "Warnings": [],
        "Description": "Prevents VBA macros from calling Win32 APIs to launch malicious shellcode"
    },
    {
        "Name": "Use advanced protection against ransomware",
        "GUID": "c1db55ab-c21a-4637-bb3f-a12568109d35",
        "Action": 1,
        "BaselineStatus": "Block",
        "RequiresCloudProtection": true,
        "Warnings": ["Requires cloud-delivered protection"],
        "Description": "Extra layer of protection against ransomware using client and cloud heuristics"
    }
]