mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-07 18:17:22 +00:00
Fixed formatting.
This commit is contained in:
Andrea Bichsel
parent
1993331377
commit
2d71afa16e
@ -67,81 +67,91 @@ Except where specified, ASR rules do not apply to any other Office apps.
|
||||
|
||||
### Rule: Block executable content from email client and webmail
|
||||
|
||||
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
|
||||
SCCM name: Block executable content from email client and webmail
|
||||
GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
|
||||
|
||||
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
|
||||
|
||||
- Executable files (such as .exe, .dll, or .scr)
|
||||
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
||||
- Script archive files
|
||||
|
||||
### Rule: Block all Office applications from creating child processes
|
||||
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
|
||||
|
||||
Intune name: Office apps launching child processes
|
||||
SCCM name: Block Office application from creating child processes
|
||||
GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
|
||||
SCCM name: Block executable content from email client and webmail
|
||||
|
||||
GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
|
||||
|
||||
### Rule: Block all Office applications from creating child processes
|
||||
|
||||
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
|
||||
|
||||
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
|
||||
|
||||
### Rule: Block Office applications from creating executable content
|
||||
Intune name: Office apps launching child processes
|
||||
|
||||
Intune name: Office apps/macros creating executable content
|
||||
SCCM name: Block Office applications from creating executable content
|
||||
GUID: 3B576869-A4EC-4529-8536-B80A7769E899
|
||||
SCCM name: Block Office application from creating child processes
|
||||
|
||||
GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
|
||||
|
||||
### Rule: Block Office applications from creating executable content
|
||||
|
||||
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
|
||||
|
||||
Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
|
||||
|
||||
### Rule: Block Office applications from injecting code into other processes
|
||||
Intune name: Office apps/macros creating executable content
|
||||
|
||||
Intune name: Office apps injecting code into other processes (no exceptions)
|
||||
SCCM name: Block Office applications from injecting code into other processes
|
||||
GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
|
||||
SCCM name: Block Office applications from creating executable content
|
||||
|
||||
GUID: 3B576869-A4EC-4529-8536-B80A7769E899
|
||||
|
||||
### Rule: Block Office applications from injecting code into other processes
|
||||
|
||||
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes.
|
||||
|
||||
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
|
||||
|
||||
### Rule: Block JavaScript or VBScript From launching downloaded executable content
|
||||
Intune name: Office apps injecting code into other processes (no exceptions)
|
||||
|
||||
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
|
||||
SCCM name: Block JavaScript or VBScript from launching downloaded executable content
|
||||
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
|
||||
SCCM name: Block Office applications from injecting code into other processes
|
||||
|
||||
GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
|
||||
|
||||
### Rule: Block JavaScript or VBScript From launching downloaded executable content
|
||||
|
||||
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
|
||||
|
||||
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
|
||||
|
||||
### Rule: Block execution of potentially obfuscated scripts
|
||||
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
|
||||
|
||||
Intune name: Obfuscated js/vbs/ps/macro code
|
||||
SCCM name: Block execution of potentially obfuscated scripts.
|
||||
GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
|
||||
SCCM name: Block JavaScript or VBScript from launching downloaded executable content
|
||||
|
||||
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
|
||||
|
||||
### Rule: Block execution of potentially obfuscated scripts
|
||||
|
||||
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
|
||||
|
||||
This rule prevents scripts that appear to be obfuscated from running.
|
||||
|
||||
### Rule: Block Win32 API calls from Office macro
|
||||
Intune name: Obfuscated js/vbs/ps/macro code
|
||||
|
||||
Intune name: Win32 imports from Office macro code
|
||||
SCCM name: Block Win32 API calls from Office macros
|
||||
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
||||
SCCM name: Block execution of potentially obfuscated scripts.
|
||||
|
||||
GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
|
||||
|
||||
### Rule: Block Win32 API calls from Office macro
|
||||
|
||||
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
|
||||
|
||||
This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs.
|
||||
|
||||
### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
||||
Intune name: Win32 imports from Office macro code
|
||||
|
||||
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
|
||||
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
||||
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
|
||||
SCCM name: Block Win32 API calls from Office macros
|
||||
|
||||
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
||||
|
||||
### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
||||
|
||||
This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
|
||||
|
||||
@ -150,33 +160,39 @@ This rule blocks the following file types from being run or launched unless they
|
||||
>[!NOTE]
|
||||
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
|
||||
|
||||
### Rule: Use advanced protection against ransomware
|
||||
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
|
||||
|
||||
Intune name: Advanced ransomware protection
|
||||
SCCM name: Use advanced protection against ransomware
|
||||
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
|
||||
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
||||
|
||||
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
|
||||
|
||||
### Rule: Use advanced protection against ransomware
|
||||
|
||||
This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
|
||||
|
||||
>[!NOTE]
|
||||
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
|
||||
|
||||
### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|
||||
Intune name: Advanced ransomware protection
|
||||
|
||||
Intune name: Flag credential stealing from the Windows local security authority subsystem
|
||||
SCCM name: Block credential stealing from the Windows local security authority subsystem
|
||||
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
|
||||
SCCM name: Use advanced protection against ransomware
|
||||
|
||||
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
|
||||
|
||||
### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|
||||
|
||||
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
|
||||
|
||||
>[!NOTE]
|
||||
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
|
||||
|
||||
### Rule: Block process creations originating from PSExec and WMI commands
|
||||
Intune name: Flag credential stealing from the Windows local security authority subsystem
|
||||
|
||||
Intune name: Process creation from PSExec and WMI commands
|
||||
SCCM name: Not applicable
|
||||
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
|
||||
SCCM name: Block credential stealing from the Windows local security authority subsystem
|
||||
|
||||
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
|
||||
|
||||
### Rule: Block process creations originating from PSExec and WMI commands
|
||||
|
||||
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
|
||||
|
||||
@ -186,35 +202,47 @@ This rule blocks processes through PsExec and WMI commands from running, to prev
|
||||
>[!WARNING]
|
||||
>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
|
||||
|
||||
### Rule: Block untrusted and unsigned processes that run from USB
|
||||
Intune name: Process creation from PSExec and WMI commands
|
||||
|
||||
Intune name: Untrusted and unsigned processes that run from USB
|
||||
SCCM name: Block untrusted and unsigned processes that run from USB
|
||||
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
|
||||
SCCM name: Not applicable
|
||||
|
||||
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
|
||||
|
||||
### Rule: Block untrusted and unsigned processes that run from USB
|
||||
|
||||
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
|
||||
|
||||
- Executable files (such as .exe, .dll, or .scr)
|
||||
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
||||
|
||||
### Rule: Block Office communication applications from creating child processes
|
||||
Intune name: Untrusted and unsigned processes that run from USB
|
||||
|
||||
Intune name: Not applicable
|
||||
SCCM name: Not applicable
|
||||
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
|
||||
SCCM name: Block untrusted and unsigned processes that run from USB
|
||||
|
||||
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
|
||||
|
||||
### Rule: Block Office communication applications from creating child processes
|
||||
|
||||
Office communication apps will not be allowed to create child processes. This includes Outlook.
|
||||
|
||||
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
|
||||
|
||||
Intune name: Not applicable
|
||||
|
||||
SCCM name: Not applicable
|
||||
|
||||
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
|
||||
|
||||
### Rule: Block Adobe Reader from creating child processes
|
||||
|
||||
Intune name: Not applicable
|
||||
SCCM name: Not applicable
|
||||
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
|
||||
|
||||
This rule blocks Adobe Reader from creating child processes.
|
||||
|
||||
Intune name: Not applicable
|
||||
|
||||
SCCM name: Not applicable
|
||||
|
||||
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user