deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 9491: Added new ASR rule

Browse Source 
Added new ASR rule
This commit is contained in:
Andrea Bichsel (Aquent LLC) 2018-06-29 20:50:02 +00:00
commit 688ba9c457
3 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: andreabichsel author: andreabichsel
ms.author: v-anbic ms.author: v-anbic
ms.date: 06/13/2018 ms.date: 06/29/2018
--- ---
@ -82,6 +82,10 @@ Windows 10, version 1803 has five new Attack surface reduction rules:
- Block process creations originating from PSExec and WMI commands - Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB - Block untrusted and unsigned processes that run from USB
In addition, the following rule is available for beta testing:
- Block Office communication applications from creating child processes
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
Rule name | GUID Rule name | GUID
@ -98,6 +102,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
@ -123,7 +128,7 @@ This rule blocks the following file types from being run or launched from an ema
### Rule: Block Office applications from creating child processes ### Rule: Block Office applications from creating child processes
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, Outlook, and Access. Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
@ -175,10 +180,16 @@ This rule blocks the following file types from being run or launched unless they
- Executable files (such as .exe, .dll, or .scr) - Executable files (such as .exe, .dll, or .scr)
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
### Rule: Use advanced protection against ransomware ### Rule: Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) ### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
@ -203,6 +214,12 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr) - Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block Office communication applications from creating child processes
Office communication apps will not be allowed to create child processes. This includes Outlook.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
## Review Attack surface reduction events in Windows Event Viewer ## Review Attack surface reduction events in Windows Event Viewer
You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited): You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):

4
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: andreabichsel author: andreabichsel
ms.author: v-anbic ms.author: v-anbic
ms.date: 06/15/2018 ms.date: 06/29/2018
--- ---
# Customize Attack surface reduction # Customize Attack surface reduction
@ -76,6 +76,8 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.

3
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: andreabichsel author: andreabichsel
ms.author: v-anbic ms.author: v-anbic
ms.date: 05/30/2018 ms.date: 06/29/2018
--- ---
@ -64,6 +64,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.