From 334ecaa1a2585577452b25490afccd35119ebe4a Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 16 Feb 2018 15:24:22 -0800 Subject: [PATCH 1/4] Changed date. --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 889d969f79..d5e34e50d5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: iaanw ms.author: iawilt -ms.date: 11/30/2017 +ms.date: 02/16/2018 --- From 44b0e06787e914e1484ec809891d844e54b92028 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Thu, 8 Mar 2018 08:35:57 -0800 Subject: [PATCH 2/4] Test-changed author --- .../attack-surface-reduction-exploit-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index d5e34e50d5..955483ce1f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 02/16/2018 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/01/2018 --- From 076a04cfaea0469abcdc5640db700ce503ec1e0a Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Wed, 14 Mar 2018 12:47:01 -0700 Subject: [PATCH 3/4] Redid ASR rule changes. --- .../attack-surface-reduction-exploit-guard.md | 32 +++++++++++++++++++ .../customize-attack-surface-reduction.md | 11 +++++-- .../enable-attack-surface-reduction.md | 11 +++++-- 3 files changed, 48 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 955483ce1f..f9a000c334 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -76,6 +76,11 @@ Block Office applications from injecting code into other processes | 75668C1F-73 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. @@ -147,7 +152,34 @@ Malware can use macro code in Office files to import and load Win32 DLLs, which This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. +### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria + +This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: + +- Executable files (such as .exe, .dll, or .scr) +- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) + +### Rule: Use advanced protection against ransomware + +This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. + +### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) + +Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. +>[!IMPORTANT] +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). + +### Rule: Block process creations originating from PSExec and WMI commands + +This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. + +### Rule: Block untrusted and unsigned processes that run from USB + +With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: + +- Executable files (such as .exe, .dll, or .scr) +- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) ## Requirements diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index b4f01bbee5..70145d958b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/09/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/01/2018 --- # Customize Attack surface reduction @@ -69,6 +69,11 @@ Block Office applications from creating executable content | [!include[Check mar Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c +Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index c7f25e04df..8852d9dc07 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/09/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/01/2018 --- @@ -59,6 +59,11 @@ Block Office applications from injecting code into other processes | 75668C1F-73 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From 569981914b2fbf6d73cfd603a8fe54151d5bce30 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 6 Apr 2018 08:46:27 -0700 Subject: [PATCH 4/4] Add warning about PSExec rule blocking SCCM compliance rules. --- .../attack-surface-reduction-exploit-guard.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index f9a000c334..02ccecc491 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -173,6 +173,9 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i ### Rule: Block process creations originating from PSExec and WMI commands This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. + +>[!WARNING] +>[Only use this rule if you are managing your devices with Intune or other MDM solution. If you use this rule with SCCM, it will prevent SCCM compliance rules from working, because this rule blocks the PSExec commands in SCCM.] ### Rule: Block untrusted and unsigned processes that run from USB