From 1d526e25f9f6be1a756898a7d0771c7ea045e4db Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Fri, 11 Aug 2017 19:19:25 -0700 Subject: [PATCH] add asr eval --- ...d => evaluate-attack-surface-reduction.md} | 129 +++++++++++++++++- .../evaluate-controlled-folder-access.md | 70 ++++++---- .../images/asr-test-tool.png | Bin 0 -> 16822 bytes .../scripts/asr-events.xml | 21 +++ 4 files changed, 185 insertions(+), 35 deletions(-) rename windows/threat-protection/windows-defender-exploit-guard/{evaluate-asr.md => evaluate-attack-surface-reduction.md} (63%) create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png create mode 100644 windows/threat-protection/windows-defender-exploit-guard/scripts/asr-events.xml diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-asr.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md similarity index 63% rename from windows/threat-protection/windows-defender-exploit-guard/evaluate-asr.md rename to windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 64162a6604..49dc3eb9e9 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-asr.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -13,16 +13,131 @@ author: iaanw ms.author: iawilt --- -# Attack Surface Reduction +# Evaluate Attack Surface Reduction rules + + +Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). + +This topic helps you evaluate Attack Surface Reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. + +>[NOTE] +>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. +>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). + + +## Use the demo tool to see how Attack Surface Reduction works + +Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines. + +The tool is part of the Windows Defender Exploit Guard evaluation package: +- [Download the Exploit Guard Evaluation Package](#) + +This tool has a simple user interface that lets you choose a rule, configure it in blocking, auditing, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule. + +You can also set advanced options, including setting a delay, choosing a specific scenario, and how to view a record of the events. + +When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken. + +![](images/asr-test-tool.png) + + +### Rule 1 + + + +### Rule 2 + + + +### Rule 3 + + + +### Rule 4 + + + +### Rule 5 + + + +### Rule 6 + + + + + + + + + + +## Review Attack Surface Reduction events in Windows Event Viewer + +You can also review the Windows event log to see the events there were created when using the tool: + +1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +2. On the left panel, under **Actions**, click **Import custom view...** + +3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [download the XML directly](scripts/asr-events.xml). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction: + + Event ID | Description +-|- +5007 | Event when settings are changed +1122 | Event when rule fires in Audit-mode +1121 | Event when rule fires in Block-mode + + +## Use auditing mode to measure impact + +You can also enable the Attack Surface Reduction feature in auditing mode. This lets you see a record of what apps would have been blocked if you had enabled the feature. + +You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use. + +To enable audit mode, use the following PowerShell cmdlet: + +```PowerShell +Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode +``` + + +>[!TIP] +>If you want to fully audit how Attack Surface Redurction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). + + + +## Customize Attack Surface Reduction + +During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature. + +See the following sections in the main [Use Attack Surface Reduction rules](controlled-folders-exploit-guard.md) topic for configuring the feature with MDM policies, PowerShell, the Windows Defender Security Center, Group Policy, Intune, or System Center Configuration Manager: + +- [Exclude files and folders](attack-surface-reduction-exploit-guard.md#exclude-files-and-folders) +- [Configure rules individually](attack-surface-reduction-exploit-guard.md#configure-rules-individually) + + + + + + + + + + + + + + ## Attack Surface Reduction rules -Component | Configuration available with | Event ID | Corresponds to… --|-|-|- -Attack Surface Reduction (ASR) | GP & MDM | Provider: Windows Defender | -| | | Event when settings are changed | -| | | Event when rule fires in Audit-mode | -| | | Event when rule fires in Block-mode | + ### Audit/block modes diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index d06826fae9..4512197267 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -21,10 +21,14 @@ Controlled Folder Access is a feature that is part of Windows Defender Exploit G This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. +>[NOTE] +>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. +>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md). -## Use the File Creator tool to demo Controlled Folder Access -Use the File Creator tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders. +## Use the demo tool to see how Controlled Folder Access works + +Use the **ExploitGuard CFA File Creator** tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders. The tool is part of the Windows Defender Exploit Guard evaluation package: - [Download the Exploit Guard Evaluation Package](#) @@ -33,25 +37,22 @@ This tool can be run locally on an individual machine to see the typical behavio You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders. -1. Open the Exploit Guard Evaluation Package and copy the file *Filecreator* to a location on your PC that is easy to access (such as your desktop). - >[!TIP] - >You may need to change the extension in the filename from *Filecreator.rename* to *Filecreator.exe* -2. Open the **Local Group Policy Editor** by typing **Edit group policy** in the Start menu. +1. Type **powershell** in the Start menu. -3. Under **Local Computer Policy**, expand **Computer configuration** > **Administrative templates** > **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled Folder Access**. +2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. -4. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the **Options** section select **Enable**. +3. Enter the following in the PowerShell window to enable Controlled Folder Access: + ```PowerShell + Set-MpPreference -EnableControlledFolderAccess Enabled + ``` ->[!IMPORTANT] ->To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. - -![](images/cfa-gp-enable.png) +4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop). -4. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. +5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. -5. You'll be asked to specify a name and location for the file. You can choose anything you wish to test. +6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test. ![](images/cfa-filecreator.png) @@ -59,18 +60,26 @@ You can enable Controlled Folder Access, run the tool, and see what the experien ![](images/cfa-notif.png) -8. You can also review the Windows Event log to see the events there were created: - 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - 2. On the left panel, under **Actions**, click **Import custom view...** - 3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [download the XML directly](scripts/cfa-events.xml). - 4. Click **OK**. - 5. This will create a custom view that filters to only show the following events related to Controlled Folder Access: +## Review Controlled Folder Access events in Windows Event Viewer + +You can also review the Windows event log to see the events there were created when using the tool: + +1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +2. On the left panel, under **Actions**, click **Import custom view...** + +3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [download the XML directly](scripts/cfa-events.xml). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Controlled Folder Access: + +Event ID | Description +-|- +5007 | Event when settings are changed +1124 | Audited Controlled Folder Access event +1123 | Blocked Controlled Folder Access event - Event ID | Description - -|- - Event when settings are changed | 5007 - Audited Controlled Folder Access event | 1124 - Blocked Controlled Folder Access event | 1123 ## Use auditing mode to measure impact @@ -78,18 +87,23 @@ As with other Windows Defender EG features, you can enable the Controlled Folder You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. -To enable audit mode, see the GP option to **Audit Mode**. +To enable audit mode, use the following PowerShell cmdlet: + +```PowerShell +Set-MpPreference -EnableControlledFolderAccess AuditMode +``` ![](images/cfa-audit-gp.png) >[!TIP] ->You will need to use a GP management tool, such as the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), to deploy this policy change to see how Controlled Folder Access would work in your network. +>If you want to fully audit how Controlled Folder Access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md). ## Customize protected folders and apps During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. -See the following sections in the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with the Windows Defender Security Center, Group Policy, or mobile device management (MDM) policies: +See the following sections in the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with MDM policies, PowerShell, the Windows Defender Security Center, Group Policy, Intune, or System Center Configuration Manager: - [Protect additional folders](controlled-folders-exploit-guard.md#protect-additional-folders) - [Allow specifc apps to make changes to controlled folders](controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png b/windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png new file mode 100644 index 0000000000000000000000000000000000000000..569ee7a256827779434b711c4749f5f598468eae GIT binary patch literal 16822 zcmeIacT`hrw=NzVD2T`wL_k1Ax)7x*RYj#qFQG?NdMDJ-Y`{hYw$u#>NGCuDJ%mt1 zM5Om11PH~@0z^te2_$#1&pE%}xZn8B9ryox7-T@^Dp~Jb@0!mu=QH2L80u@XvGB5h zKp-}4tw+Wn(1{t~wR@HcuyCoWsRDn_d23n1K%fiXj$bEIBros*MrJ>4y~oURXV0HJ zD|$vXZ2KS6V++3r{(jD0z92+JuNGiB?+2J3Ilx}{x_JA!czJ>@ox3gs*jbM48eZPP zzAjGAexP#pUM0YK;UBB7gZ=TY*Zf>O96<8B?B{?j=Z?3Scscq7+WR_yY`q!ByR-gt zau?VOcY9!0Ul96BZ319Edu)c-`+B-~I)T3MEk*-2=Kna}-}i+Bh{AYF`mfzIygWP{ zJpDk_-qcpW#&o=!sf(Yx1E^$USQG@h2GV}?z%=O7`gDXl-_q+1nx_7Tf(Hurz9Db3 zSveEMv1>-tp9`;E#$Wy7U0sm%gZcIu$uqvM_&TsLT_B?v_qwzAlTokT>q@{j-ydi+ zs*y^x#(&27_Hw!jUyk{9v9j;ErEZ&^t%q69i*p_U1Jea;>jm14@kmFVn05gnZ%<1b^Rq@^28e9F&prWVBoQg|1GvVgD=8}q( z@(n4Ek>-I?t2*5!+(yTduh&?dTl_e6z^ii$Z?e#GvQnh4zu)}OI<7xkwM@Nvx7Een z-F@f<@N+N{!pH=y_(6XhR}(POZTiiX1%nC~YEta5=8`-uI$~@s`clTxGL#aXP<94& zGt4$-8>UQLKBYVHj@N@;6s|y%4TIH~Du9Zz$C|C}hBbuOgZ)YG`W36RH*{!3GmkhA zqn_cGlv_QgG?ylS2We-9I|kkWl?P{KWgRT#9F64tmU_3L&REN_Nr*}-t;k)>%=uYp zP~kDyIc~MHS;yA69YN2Rj@Uu$L_=Mu>I{t!~#~ z%gm)n#d~MDTOP4|f?qXf5F>?JuFGdHNhj!mX5ps1EsVpOh{S@T$O_XX4l;9&r{NM~ zJ8*T4=4N{^8otUbXgjthC{mCRj!ZSUwUWS)wxwx7P}0Id#XD=w!W!wQ^}wi*ETPfy z#i%#7(aPNCxd-^gF30;qN9d`{6rpCs&(zB_Enim)aPxixwV`P8tI)4~hPszleZxa+ zFa2n@w9ui|&U&yuB%N};52`@CHGN{8*up7huyxv?iUdwo}GL{o&lF90j^D$gSxol$loH$i$e>>lLO=#S* zcnZVJooy0&UsE?)pLGEbB@bRM{$^t_7NF)k^VeEJws>%VrqcN4i@tt=u~V#*)ECVK zf@42*W6@PFwGPcz(&t%p50=L|Df!ISJAa0+C5PB}eZSBb={FW$ieo}Afzh5IVg*uc zH@XhdGJCYcWE)QNu%&n44`xgGn=%8khq)QFvPR`lD|$AEznWZLf3(bMsB=LSukL_@ zfPa*c;NTFXkl9)w*-q6;ruM*JIDGBh??tawY(gs{CQ|fSaX1ntanILZ64IXuTY@P@ zY&-P__whE@6M}_Q8m>KUt%z<^7^qt(oujB5T66}wp$Lew7qKP=E8MBf5e15|d=|r+ z>}x{{g`|jQ2?FEyj^H{yq~fpj4XP0s|5GLKkHfAl7A{B$)ne<7PhLV}{7sDC35*hk z|E6LiFiO|OqxyM58DlfJc`K8lYg{AR|MxIzK)$lE4?2i@C^j~o?Bq{=J6u*%laZy0 z`Zmt@vtnK;iZYyOO^KY}U+T=F+>6j_mS6+n(2?B67+dc#G5<3thA2aKH#^8Og1QS{ zX>HwMPb@G%*^F^B63oM>Mdr5H`7s6^t=r?CDEm!?R=V?S?y&G?Ga@Z2>!qKvD0ZK9 zvUGpxVa~o$Aq;(ny+r+bM}2YyYV@*yX!Ea<^*YF6y!(K`a^Kh6l+j8%_=p2nX6t99 z*LT0=x`!j#2%i$nZ9mf0BW3(vukUxyv?&95m1A$bdf*8GE6RqFSZ3DoXzqlUtc;@s z#!+tgZtjj3S(iZ|SF92uLNM{b-P^2Ro^gVX)a)pjF)@wCRpUKguPdM|SltLw56$G3bjG1)3KDA&`S~ zy^;<00uS3PwH5D15PMF7K-PV2J+@IGkVQ+>)Xm&|fx#im{y$EFa4immn*7$#iUjKT;{{iQG3i$?~qFU((I*KPi-uw*=I?YWQTk#f> zSPwwaupS6h{=#V>8(F5J(FX!usg-!E$hZAtLHw{I*>;8L1ZeP@-r1S*=h?%vFB|O^w(8%IN>bw;3flqRvIDdC32k9b6_HCll6$zmS>O+Pxk)@_D@!tFDVvCHs?x zvlGF-+Zy!~G~$Q(?So*Rxu$1)=A>P;>?V_kS9^K=0GedI{U)%oQ;nC>Id&%*qBivT zXI-L_TuI`!U00{O*IW$S%@P9-<_nbk?Yy4qW`t{Oaj7{=ge`!N2F03Q_lwPh**Luy zoPv3k2MaD1`e((Y*=|_bC5|GbGIh$F%}CU@ynM+%u5KN&rF%e#|RjmFy{8W%d3 z>L>Oq15vG^jM32?`Kyn!VglX5TYerXuUjRAFw&^7xcFSzT zdRjNFZ0-A)O$(iF^Yx?a(uuhKUS~%~Q)ZDIlRBF~!i+CDHrT*)w<+v*C6m({_@k`s zsmbg2!c2lT-hg=>b{BX$&;wySS?TFRU*cKT%W3`_)iZF?y-N`C%iJ8@dbDxtSe4!G z_**>f>yf|lE@@wBlZy8OuT)vd?_VW1Fr6HJW^k$Esq|@Vr%;3nWP2nOi(WqD8v#5s z$tiKmpY~lHxiH;4{48B@@aF^7;`V;#-GXdoH7Py8ag*YJw9rb5lGn2A`(4+Kw@w=) zdG5iqzDir>&hLKSv?)I4&MzMvpRkwIz&7+$D>YKGy0minCporOOz#8>XWcE?Hc%p^ z@ON)eu!0nQyyofY&f>zA*o++yW9ve=%|Wa3C5dn`^S;p_IYXf=`No@qR}cR-$efhm^qHPvA+u^1p0M;OaP0gt)uIeDWe$5A5R5(w63M^B z&MqC^2bly@n))T1!&ebbBbWW-Q$mNb+?@Br%V5o11SoNao9oH_)eu#vpxWVYjpn`i z*zT7yu>w6WW#F3~+?2U!L1{OBJptEjWnR@}_q9T^*ROq+=8>4zj0>fT)5TIt39BUv zE}cbE!~3xt4#k8)asEMibxs;PNqb47(1V~2O!=Y}MSX2785ZR`=||Ym*R%VSTC0&8 zZBT;tr+>_{4yI|jn=&gY`#-ClVzyrYG?fzY?w2y<`;<4#$sRjd+lBttEj&*D#OI2y zc>BVv^yjd+c4LrTqVy!g`vPT}WI4qE-o6lp#}Z~k3_h4mHG57`V`+4Mlkir^=qq}8 zNsu3|tm_m_vZcZXjh?5?zk^$c6t+b|S%6FE{b+}8X`c*p#aaQjua|773p*X!{;3yE zn7I|35=c$Mq~dJ&Bz5IiZ<11LSldvob*q$pvwt(#W|RSMQJaF3kV@XOuc{~3ntu1a zl<9V?IezQeOu;!I^H-LFnuo$EI^7)!cQu>)JIv2a{0(O!A-s#fz8*esb&AMFue3-d zWsJ@%ddsd~`Fp6h*M3DjiTmy+qs2#ar%({l?r>J95-@tTiY0x{sLPuEpKE+oJu*Wx znu4Biqg4>115S%kgw=9QW1k;EbB4ck5KgU%rRtIr_mo1m4yhtn=Tyq01p4+OI!Ql`WnQvh$G=u7$qt4{hj8_AN|#7rsxk37l4dlK zyO7^%>$nH}$jx?yN0Pydj{I(y38w#qS~jf{s@1bD*yhpBtQD$#oZedynmL(jKG2pg&0Rej zZdQyBw;ZNdyM00v%IcgZjwY^E;H`;a9K2V?HcaXw57L8BazVzTImvKV1Mi6hkKJ|i zrI?OlDPF2t>D~b%KRZ~#MfduZ=>rdOlE)X4{R(P{q~WrsAmdk9)H`<7^hORO?`4c) zhLM_;)y>?{mfAWT>z*C%ggDj12H#2lEbR z!bD^d)3hZCcdQqBXOu6a1vPV^i&r04&-FFPX)0N%r`1~H*Vk87KA-9^(It|2epYF> zTq-Uw!XlGI3#MtrP{Wk6&c}E)ezig5IuhCcMxXzRDxwj5HV~gsLF@6r0&zq&bu>r1 zN3n~?wH}X(W|ptXH&*q;Td#)!7cR=o<>g_v``RdL%4ys>NRO-AOKHXf`cCeeHqCz) zvko9=X%cOUx}cVIRRx7xM=DvAAdHoZCH>tofaKMjNh=lG2+@pjpX!c5a>P5|2GaEtOx=X-5xy;diCHm7^p08Gyx>z(eIO> zXBXR8|I3J^&GvoQ*_co!)0?kHt~NxI6D_(X$LGxJvz2%^n<$Q|RE>P7WSODD<;2bf zqg&WvDTI;G3`r9CaorWCP=RYH8);;pd3FO8s)h;;*J@rJGo0CHm^K_gvJ8%@qTEu0fR=07dwt%>iAB$*4ZkvstpL>#q;CHTYb0bEZTlJ;n31H-Al$ z9LH~jS0Uag_Ulq)ip>GcXxjH6n9FKcvnfT-^&8LdR?tIgrFoa4q@?ARg>PG+lqAAX ztjJ<+zmV{~J50GI@qHvq`_vt&@`}N1p^k&+R&w3-pX28j%mX|zq6HQK_C(8$hp-+= z&$OEkFIa+AwrPdKaGSI=!lExJ&?~9%<;@BkY3YbugXx1dWGLpyhNLDA5#h_k6U>dT zCyX$m54tG>U&poPD7BUAp0vFFah-jSGLKfSdMVEL;`dO3W#r5Pvrd?>wq?g*zpug5 ziD0rUjWIoG9t4g`v~;p1&akH7Evn*uX?c?$EedxXS72$=UXdFxw}r3p%e#-o63r`~ zLb;%XZVB@ZLItW$1~ueJ+2)0XF?)GFOtKXZSq?7IxD>q@0lFH4Z@1mwtQ48oyd2R$ z6!}Hc5m#6He7}RsQs>F=Rw3XBwL&2WyGNLFT`mJbK@U~8^}Q#&?otxKK~u&u!$Ohk z#Qn{1glOKc$gd;S?;|gCrFDyO?BMEc+uq4UUI$J+0+uFKNl1aweMB4-p=bBlE<2S)FL3E^vf+BA1vlez1J z0{UoixHa~`=aDk^I$s*aJj`>mqxf4xjY^K;U~mOWvM{v8z=UgZk<=rmu6C`1T|11Y zxb=xEzPN65t{!YN)=1_XI(Ab;b8-ZGFU6^}^~I)0P@u%szXy|r#g)q+u({qXn=g43 zl2V@*7N^jZGoDQfDY*3>>&wuQHekq*NU&s~n zE17h~xTPVRx4uV5;EHf}QdNDwdqG^V+)zPs_hmDREA{Y~hEfW}phD6w<6C@@epU>t$6ReG39}lVT0#&U0w(gxZ_-t(iNDnaQQnaqrV?nDCcL6-MLfvYxJFx z0=J!E+|*Lv#?sj9S^pHX-b=>D4<26l=f$f{Gz3KQQ4)AX6iVv(#6irlV^>}2hU^;ceRxh6hqf*lutXDy4XDw=p;l?nn- zHQCyI^;B@R(-m@=)>k;z@=@q;b2QccDogo^tSv} z+6v6pdL0@}{K%R_3Ptc%k<-SWq=gwFn~5`-Y;GemlNJ@~Jt?dK2qA&-M?u9+ETv^a z$e>0I+cpUg)DEx5s6x5XX;j(g1169#g!X+dyc!GW+BA*Uskm zMNtK{gqCO5WDwq^Q{JoZhB;_?CnJ=~H-lRXD^Hn5AF>KS4bhCh(zL^nj(P|@uF+CQ z9i=Lj6MOiQ3W=x*Da4-ueQDeU@XO~L06N2FL$}0pRm$-I4t_eR(Rc4Q07B?YiBvYOiXY{ zF{mAYX2*3gjvnsUws^~-njlmR;b_1OLOsV-jW))<8hbWGJN3mMSs^r&p?<#!%ZcN# z{Xw^CJv2^hQt|?$^(B$y73V<`Co3s?C)g6Vzu$vz{T#wVjG)7grpQC+*c5`S;s;xU z%vW4rxHUkm@(v}ITdt73v`I$Tif%;8Uo36do6Wr4%I!mdUw!mw{HQ>P#le2sDAy;n zp?#ROW;IoQ0Jl;bPA`<&O0~8Vix~JEl@nO;anb1s=#_j$@FnM<9K(R2kEIZUt4G;8 zVXZ0x35P3{-!HYzZ$YU)dv+OCRKuDk`26x;$@OU=REE`DK5QuvpgwN@=niWrx?|wj z8*=lmz>>*pC0llKCUB#&$})_GCTg7a?|oc|HOP71tpy?t?)dnl>r4G-py+ugUQ?$) zbUe6N+GZSJP$ZN8NVC81^YQPvY+)8M?2H|pI0@l8Sk0`13uGK(rs0Dl88|^8xbDb8 zFT>AF7E~_nq5N=*;^=2&Y~5^--BQxkKRpQzdX87i`sDJG7vMQm6sZ{>$;eTw*w|=@@5FMm>!GKMrB(&Tv3 zo}ay~H0kaoFpofBsxomQaw{?bT#{)-u8W*KQ>hlmKT1u6HQ{rTvQ?T;TSFT^3;Lrk z;M=>lql)mgF8+a<#r)yWAV@F9)XZ z_&`5HW;sM}hwH!u@<@4dEy8P3hEY||KdI@I48`+Z3;UXFfQ5aFF?_`M&!;akx{s?PzJKM(k z?8ptD8)k6ecVpylq4s+I>#8aNb}6t!d$v@YDS26#F--xJQU{)y+$wNCcpWAXFDge`d?~vvbd-|ARWA;Q?J$pz=vi7%OC&>FUO|P>^0LS%EVMwY95P27`bs zK@D{n)EXLn$RaHDl^s+mBCiq@aWInON}g#>T)SQpq$1r@?MLk9vP>-uQmJrPkkp>U z2BPeOi7AtkyG&eqY+5TEmdDA0SfIp7P`Nl8`wV&pt_!72j^EVQOc0Q=Ui?}0BC!A{ zvaYP72^C&vX8Klt=&e5N;y|UG?_+x`n)PDVz5M0hN(C16hHVA$-#%^S{$0&VLIY`o zN=GN_Sc)|J6fqV;r@GY zH1aFM$^Yg|Zf>aEe-QDt+iW7q;unmf<$Zqer1tA+*@_dlgX5w_M=wdn+39v^S+yi@ zHzgaaXc?#85*G47MA+*D0Rx`o#B-hk1MNbr!uovD9i$ zIkSGkmE2!>as`3e{)YQ=81uKlB{3L7sk9Y=$J}@3_Z2mH*F0~ivG3RnQUf$C&H?Q zo(%h@Y^Z5SozxuYX#J44K9+L^bYF@${2SJ3K%n{eS5}tDhX*z4fRafLA&gYL=-kO9 z96mW7ALZwZ1aVH572wf=?-SD~%lQd7J4}k1%pVZV2s=CBtVqiamFQo517aD@X(Bf= zsvB?mYpqi`O66q`pF#sRrwX3j5?@Uz|5)qGf3)S=9o~yInY(Y(-lcXX-;UP3@@I1Q znyE!Nf7gcTjpe$WV(<2Y^A;pPk;MX)c-)65W-<F<07fU23OXOlo zdRErhTzmBKCZsjmyy7-@8o}hs9$QJEvrWurIYqUrri3q*H~N2jKYM1wgMyf^RNucZ zaT+C(93R9v&_zcWi-=k3|L!hxcGar-6Pn#na395Fd@fk{IE&gp+R|d#VY=eVboJ>6 z&}gx^EF|n;r5H}%Uy7B5_y+`ZFKmkC3=qAdoByj9z|GzLLwcF_bc29n#YsafSS_q{ zQ?n`2Zy`>x6ooQ44pWk-raZyJS?0#j{c2C_y25nW?lgR7NV80EFuNceR0kC0}}3_w#SV#=zm5thSAQ+Gs*Jw&jorb{oi6eOi73)F3S{9E7rK zE)}Hzj_$x@&}cOOPX55t zD+Upz%^|xu(*Pjiz=n*5WxH(2iW#)Y}el)?OR4tI8nFfYd7`qy(WV{9{~gi zn^i%G+Hy+D`7Xg8i5zFhah~3pG7z+Wk*b+|l||X0N8<9mn^1{-v2<3sKHwV78_(VE z1E#avOI0>O*OrBNjWon$ zqN?i7@vN$YY)m7(pFK3`QR>3y(nlMZMBtnY8t2Qbj^n|c&r+wmn?G9e*M;m-k|*MUs-Nfo^C!#>3Y;L zdvWkC@L|9MTZ%;LMY9Xy*4Er7WNK<^ltT9^CnqOe|84`k9+|5UVa2aeD5w(fYV|KD za6jmN77H<-YeKbjXjx1AiBZN>L)a$5sE|oyv>hE>Zr%a@%hHk+T3~KoWjLp}alNBD z5}e+JA#R873Yf@TmJlb8CdH*3n$K8nBqwlnbI%B|t}g0IR?6w6-xuPITU|&{$Gu2U zEgC5{AWa7n#!@69I~!Q?>dwjte66Z;2Z*_nym0^m^O+TShb!hl)N(#%l?fBRHX8}c z^e+?=dYjuY#QhIp#H}}8; z!w1Hm3PJ+i%B+@-{3XMSPT0za*#M%9{Pe5RSB`Gop>c{cLHP#<2k&9>j9F&&L1Isu zKi&hq0t^P1pP<%l(|2F02}tLG-^7%-E&CTa$PQ=-q z)qU-~dE-$XZE+PqU;wvn*`#q?@uu_P`aeTD=B_Qh=`dZ1{IDW!$%5PMsM~(^#9+fD zbGvoKX&$}`Q1_WT=<^oj3?-v2AcCK>`23)$O`1YIPkIx|r9*Lbo(p~^iSV1Krgm7j zcA@Z+9+ zDGor#GS~f6fk=Wag_J=*PF=6Vcb4OR6xc*0%m!Rv*itYWagxbco66Hm^b@g@;aore zzyR=GpiSq(bZm4{af0NGM;bYNHTipOP_SE|jguV2Up-s7*2zNKOrsjh_ z`r$LPQ@@q`NJ#YRm)EBNWoP@VVp7*J^#k5EQgGIg0*|RAc8j_u77>~5v`n)xOpy1G zhC`aBJXyCD{fm)*&LJ-rVi?*~Tdr98NTe|+iz24lsT}sCGY77p9y=VbFris$kTo1r zRrTDG){3o*(9Ap{>shZc^jmXHls>ojZ`JErk6L=}0~tf`Y94=i7S*ucQ?x(Kh`>&s{^sN^rlZjFGDcdHEI9J<1<=$ zEGWl9m>EZ7;^-FUhk;`RMG;$eITXlecP0kHarcv6Q5N9ggeLj{X)5ciTQ`u@W`);%3wi)3|M2-3QGhiZ=A8q1A31j$!ft#V>{BF^1L*5AUSa!BX5h2% zWZHk+_86q&`IU)CniIvfF%;>DO8=OzCohD!b(ly|BudqPtk&ch%jW2)JI1N~0_tYctIulx|6s={Y-HlS}-o-G17+9F{}E?;P!^{F0Vr*%P;n zYET!>;7X&|MzP+2sAy57HZUjEdRPzH?vz`PBbzKWu|0#zdxAU_J6@`(-yHjHz& z{3i%U{*n4*_#WG$3h%93EFXUOvd%;*l00|C4K?v6!RH01R?+*mIU+Q+gUeo^& zk<*eNwmGHmzmz*m8a1xC7j#4!&m2q?IZe)14cYn13KrvJacO7THTePD>5(3AYq_Ri z*l67c`NY&vM53@=NJFp=kTbb{OU$$DYP>DpwKP?ZM+r@2>6~t+_BB4%T2SHyvbpPz zkmZRStq)BWx^EF7C%z~d4VY2;K5f*_aYH<&8_hgCJdW|!(aEVN_5bJ5=5y~Ib%k8S zn_zV2$Ur9x9bMZ~m)_Gb`W>JCEG3roOFv) zbS8XLQ~mll(t>}R&jMhE)W?-ns8-b)WqZ}V`!w&6v#DUjVUU4`C=h}x-c8_Iwqz>L}#7QK@NL=Xyc(!EDfY?VZF_XOjGGIJ@ zE1C4;XHV8r5SOW35`e{qmA$;L{d=(g(8a$NZTHFNIxZVL1t33EEQ+&7$6V&7!7Xd! zZ~0dUc2!qjpNLb=83V+X{R{hCI#$HiE9FsOR<_aPeO|Ao%_kHJg=@)`-o_sOxhD-w zs>ged0F(d;+=*mB>&u@cvOab0u9oA{?n&#GB&WbU6%kp5PJVCBIc%My5&9Q&BDwx# zm&`mXQBoeo95R+-5wrfK@z;m$0wJmmTY9gKVhJV#9+(G^pj9m4sKO4uB7E!9WZn<>Qpktg^R?od+7nQBOg>K?7FUHV#6i_o*`c$R0XG#u2nB_mEBm+q3 z#hw3z6o=Q+O6RyJUS_c(*J5s*`&GQjRY<~e+v#MMOQ|>=WZ9QVQMZQrdt}m z@}_^HSsGXBHeXU*O+V`<%B_h4r}k+5DQhyD$8k}+t>x>P5Nc%Qsj#+giYf6!cWv4& zmUnfqxq(?++cIk#Yq=(-;V^RU0pq$JH9?Xic}F=Pi4=8L}E=zA^ z6SKt-awQcP#4pZtd4-J^$_QPz+vT`OTgr5avk=lL+v%~uz+EklnvBxBaRJxn0B3!8hR%)K-ooY-MQrLvOm!9(x<(~S5vxr%6L5;FRdAqa|I~Q_ZQrL6Mt}kU#(W( z306_fIJ=9)*sCTRDczXg{Ba38EAxl3%js|Fkn0d7!oxZat~7;Sz7+8nLs!qch3pg( zVIOmP>8oA=5UIVH5b{b*&QbYmkrSj&%3;eseYbVMrcZMAIFR{!C%r3wo@?*#;F^;( z2b9uLA&aGsPkHtMO+bF}Pene-tk(sa}2$(+g_kA5Xw-&@RCa zRE;3v)Oel4hZc9Be{iwY(e=kYKye1scBw#0(7r0sd!G1#46Zi5R4vQVwAMpbmP;NG za~9@evDG|kqch`Lo;}%7gqpQ5%AM?TFS;8$i{ zUpmZ^czvQ2Vr#OK&mUQKC3arc_c8v2`6h0nWV0;eXX*1j*=k%8(~C2%u)X6z%Gh)W zSJnXLVxsh@3}0+YmbJl3!8|Jt`nRgcKRPhE<~^6=E1yZ*wf12DcWW(nKRaU`lM&TN z4)w4qZGQ0$D0ba!>5O!F#GC?_@;LnnS^-W^xbo^;AN$PII}z+B!YelayEWOIFM;xs zJ!8>Lr95WuV@Duc_c3YDV9=_nSJUqlMp06;kcCgNTVXI50VlT*3kcZKl!W8(HAc9u z?TS+3155>)ED7AATo8jt+HT=t3v=fvoWswJ2nGn$?Nhx?e2;rkLOCpu6_Qnb>tR4@ znWjD;tH&-*MpjS1!@u7H7TNN5aVRw2-Hs+Z53)GQP#?W|whVQ9TMO&e_I7>i4Aa=9 z3`4I5C}LA)X@*5M%@iy1J^haG(yo}=?#nofAsO|V3j1br<0>tyxA&IrO5L6vt|*|v z&5AC#J#t|aBkshYr=6ldDVEah5~6C(opBiWEXngX*{_cpTboVPKE#`wd86f4%8+OMhFRO=;|fU`uRMaMnc^$oi37;~(9-e$7WVO7ulq z2if_kMtX>uKsy%?Dkg0QMYs;?t#TlfbRE29X)S%Y9+Ju3Fty!{tg(SMPzuf3;U}J@ zo8Jw3yUMrh?f7_8l3(BK?-5y`HR+tw*7{%Z=fR;(@jND_73eK@sXF91@&YOkaYAqB zCs8O#g69oVj<4qpWshB3L;P`bK$y}?@NRKCZ(tU^a9E+Yt_$Y;^<0;0n4Jqv(!&XH zu23jj#sdXRgl7+vVzVJ`$5()d*SrsY9*Y7Neh5EXEHx{nPgrEMb$|aQxMAF~0rDzf z2^$(EEGPsB{%$#8SZXf|$vt5nBt7N6>7*&J&+g(t-m5YWYYY7bIzRg-xATn|MUYO| z=8B1A7@)L(`T_x}I)3!YQBStZP_{C|LQ$Nv(WUK!yF=>Oc0=Zx)K-wEtx7xIm*kPk zvR+k<7W;*<6&P6Gdgtjw5V08t>LAwJP#_w7u^O7a)_cLr(2FczsEOO_yidKnA5uWy z)a_mZi{~_!*0z4-W^oCJR@8&9#3jddnd~7x)jpeqq~%y!bzu;m8rOv}pIYZ|d&(CY z;)56^PZtx|8WTg_7Kv0KBz+$9uf)0C^-~ZFc7DtBUESDcUY;zN!qZr^_c5-{Y-ljt z*0#F+((3xUA-n*m>TV#wDKNlYoS?URg)Tnr@6Bfbpp)d~tA!m8se`U!)jpoSiHSt6 zXd7glPN0pEA%r;ceg5T5B5AtBV&$(||D=c6)@$qw!`JNwko|gwp2lK+v58gIOW;79 zwR_Hzc}F#$1RC$5tcw;3)XU^9a-^A^VN#SJ)fU!nlq-nwU@S3HeOu9fcUngz0Vt$c;@scp&c;d9^m|QXChf#QzKT82 z^EG(lCZXw?_u8x>gZbEvV-d)g`%m_bg*7TT(qMT)d}BlYkB8;g&-d_n29)i-Z-je^ zUC_1`;!7blKaaS=tZpnqF84ZoFLL1?smEjR<+vtwE7z@mi%sW==f|&tcZm!!%2Zwf z5$B1f-n!UON{#Gk8aHi{($w#0>}=;7y@Y)*G%Ct+T5V{rNoabXRMVrR+2??E%8&ns zaw(}?-^_%J-;@N(-2ApIrM7B?W+M;0e9Y11<&Ogc%horXwP{o@hmH8fQIm}d56{3n z7zS@KhV4Q6o(5M=0%r}n-n*5SEXa6CFNflu6jEXi-UM6>#-k<^toc&$Refo^o7IjZ0pLDU$Yf6HS~%ZhgyJ6}r_>3E2iroXw^U|g=b z4p~Aguio0VGrGaZ&GU5$#5JpK|MDD+jO;0Aljv9EZm{yzh?8V_>h66Hjd>PU=+NVl zP|?l(vm|>E`999Z#Pu-Wj6(BryNQgK4tb(T>oL>oIxZ}?bZKlU%i<<5<|`Y{(t%De ztZWuOi*R{5rhnb@h5VGQXNpkJYk%VVu+!#;zzQq5a$sP}Y7*kxubFC%gkp!w-tE5s zI$6TumOtD$e|q9c#~~k)#3(uBen+ei8L}_e#h&E5JWv-t7lp~+D#8>wFD7mw)Vmdf zlMdc*_x-~(Q^2>tQ=8=${gzHE)89pkUUHG8xsBal))+5HDvuD1F9J{U zLUUfFCk_ajgI@N*&+?;yVvJsoEz&K{JvkJjn|ims&t$xN+}cW{+K2@z&Xe6NQU`@~ z6K2C@KMn_QtWe$@2OCesfgJ3LOBzeoU0SJ15LBBxxb=#feG4RPCvBA zP%tSefKG^%d@rIld>;b_Np=9KHqYS;7t&D!(j@Vz)ZB|BUePo+VKX|nAn39?t<8>=| zgNwrEZu%_(JD+&+by;FX_w*a;N+~>A&3H6K513T@>o(W+K7Nn(Gy?X4|5AyVx;Koz zc}Brm#uuw{Z=!uKT{2NYqTKq|?$qbp&4-!m;c<`YkFv89t8seL_?l-lW;H{{6dR70 zaRtKA(w8x+Q&)MilYfPKc>;B@2$}NDcVRwB|4|xK1AvS;{_&T-aGo746vg-}bU{4w zln*;vKMH<*7t#678N)6iDt_^-Sn=;eYVyqK4q(Q`DEqTJ zPay^*kS_qyW*0xnH66h?^4I%N1r!eep_Kx#Qvf|&=QpQXhV{P45VzBSgk0=}{24Gz z{#4mn!O8pE02}ov%)Ex^hXI|H<&XOs=h}?DkJ0Pjw_5(IobpdAj8q0@H3ed484~~k zRW7P-{Sa#OLu`$r9Ev|2rbX@Qz!J$`VJ&?m5Wv)JSR985WG>F+*Rg|u272D&V# zN<&$WSIcv=Y6M_%CI5-wrf2a_-c=ko?;Dy0e7aExd{cnS@%IAc|06_zZomJRb&ZWx zQ(wIzX!wJ5uL!qBDFB{AV&Ck3)D-v!XuNGLIGfU>ZLN+`$J=)HU*N;=pT!73b`5N7 d-ea8bdhsqijBOfdqy&MqAL~D=c=+ti{{mr&+ll}H literal 0 HcmV?d00001 diff --git a/windows/threat-protection/windows-defender-exploit-guard/scripts/asr-events.xml b/windows/threat-protection/windows-defender-exploit-guard/scripts/asr-events.xml new file mode 100644 index 0000000000..4389422066 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/scripts/asr-events.xml @@ -0,0 +1,21 @@ + + + + + Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC + 1121,1122,5007 + 0 + False + + + + Attack Surface Reduction view + + + + + + + + + \ No newline at end of file