WMI. Another thing I completely despise. I hate how Microsoft hard-wired it into Windows.
It doesn't look like there is an ASR rule for WMI either (unless I am blind) and I really doubt the Win32 API calls rule will cover it... if anyone can confirm if it does/doesn't, would be appreciated.
@Andy Ful by any chance... do you know?
When I tested out the code injection and Win32 API call prevention, I was setting the rules through using the GUIDs with Group Policy Editor.
I was following this as a guide to do it:
Use attack surface reduction rules to prevent malware infection
- Block Office applications from injecting code into other processes -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
- Block Win32 API calls from Office macro -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Those are the only rules I've tested.
The documentation doesn't actually tell you how to enable those ASR rules through Group Policies AFAIK, you can find the location under
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction ->
Configure Attack Surface Reduction Rules.
My environment during testing was Windows 10 Professional but I do not remember the build number, it was a few months ago.