From 1f2925545a996dee46c4527106688ce68da3f703 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 18:59:48 -0800 Subject: [PATCH] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 7142e05183..0ea54f5923 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -327,6 +327,24 @@ Configuration Manager name: Not yet available GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` +### Block persistence through WMI event subscription + +This rule prevents malware from abusing WMI to attain persistence on a device. + +> [!IMPORTANT] +> File and folder exclusions don't apply to this attack surface reduction rule. + +Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. + +This rule was introduced in: +- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) +- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) + +Intune name: Not yet available + +Configuration Manager name: Not yet available + +GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` @@ -405,24 +423,6 @@ Configuration Manager name: Block untrusted and unsigned processes that run from GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` -### Block persistence through WMI event subscription - -This rule prevents malware from abusing WMI to attain persistence on a device. - -> [!IMPORTANT] -> File and folder exclusions don't apply to this attack surface reduction rule. - -Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. - -This rule was introduced in: -- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) -- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) - -Intune name: Not yet available - -Configuration Manager name: Not yet available - -GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` ## Related topics