deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 15:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update attack-surface-reduction.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-12-08 18:59:48 -08:00
parent 7664f71e2f
commit 1f2925545a
1 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -327,6 +327,24 @@ Configuration Manager name: Not yet available
GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
### Block persistence through WMI event subscription
This rule prevents malware from abusing WMI to attain persistence on a device.
> [!IMPORTANT]
> File and folder exclusions don't apply to this attack surface reduction rule.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
This rule was introduced in:
- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
Intune name: Not yet available
Configuration Manager name: Not yet available
GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
@ -405,24 +423,6 @@ Configuration Manager name: Block untrusted and unsigned processes that run from
GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
### Block persistence through WMI event subscription
This rule prevents malware from abusing WMI to attain persistence on a device.
> [!IMPORTANT]
> File and folder exclusions don't apply to this attack surface reduction rule.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
This rule was introduced in:
- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
Intune name: Not yet available
Configuration Manager name: Not yet available
GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
## Related topics