Would you like to learn how to configure attack surface reduction rules using Powershell? In this tutorial, we will show you how to use the command line to add an ASR rule to block process creations originating from PSExec and WMI commands.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 2022
• Windows 10
• Windows 11

Equipment list

Here you can find the list of equipment used to create this tutorial.

This link will also show the software list used to create this tutorial.

Related tutorial – PowerShell

On this page, we offer quick access to a list of tutorials related to PowerShell.

Tutorial Powershell ASR – Block process creations originating from PSExec and WMI

Start an elevated Powershell command line.

Windows 10 - powershell elevated

Add an ASR rule using Powershell.

Copy to Clipboard

In our example, we add a rule to block process creations originating from PSExec and WMI commands.

There are multiple actions available.

Copy to Clipboard

The WARN mode blocks the execution and presents a warning window to the user.

ASR - WARNING MESSAGE

List all configured ASR rules.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Restart the computer to enable the ASR rules.

Copy to Clipboard

Optionally, restart the Defender real-time protection to enable the ASR rules.

Copy to Clipboard

To test the ASR configuration, try to create a process using WMI.

Copy to Clipboard

List events related to ASR rules.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Disable the ASR rule using Powershell.

Copy to Clipboard

Remove the ASR rule using Powershell.

Copy to Clipboard

Congratulations! You are able to use Powershell to configure an ASR rule to block process creations originating from PSExec and WMI commands.