Incorp tech review.

2025-06-19 04:13:41 +00:00 · 2019-02-06 16:41:10 -08:00
parent 23f1b21c5d
commit 6a59a10670
1 changed files with 30 additions and 20 deletions
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@ -19,11 +19,9 @@ ms.author: v-anbic
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-Attack surface reduction rules help prevent malware from using actions and apps to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. 
+Attack surface reduction rules help prevent malware from using actions and apps to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019. 
-To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
+To use attack surface reduction rules, you Windows 10 Enterprise E3 license or higher. An E5 license allows you to take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) and the real-time views and configuration of the M365 dashboard. These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to view attack surface reduction rule events in Event Viewer.
 With an E3 license, you won't have these advanced capabilities, but you can develop your own monitoring and reporting tools to use in conjunction with attack surface reduction rules.
 Attack surface reduction rules target specific behaviors that malware and malicious apps typically use to infect computers, including:
@ -31,7 +29,11 @@ Attack surface reduction rules target specific behaviors that malware and malici
 - Obfuscated or otherwise suspicious scripts
 - Behaviors that apps don't usually initiate during normal day-to-day work
-Triggered rules display a notification. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
+Because legitimate, line-of-business applications might also use some of these behaviors and apps, you can [exclude them from attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules).
 You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
 Triggered rules display a notification on the device. The notification also displays in the Windows Defender ATP Security Center and on the M365 console. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
 You can set attack surface reduction rules in [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how they'd impact your organization once enabled.
@ -39,7 +41,7 @@ For information about configuring attack surface reduction rules, see [Enable at
 ## Attack surface reduction rules
-The following sections describe each attack surface reduction rule. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy:
+The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy:
 Rule name | GUID
 -|-
@ -58,6 +60,8 @@ Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9
 Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. They don't apply to any other Office apps like Flow or Teams.
 In general, attack surface reduction rules apply to the following Office apps:
 - Microsoft Word
@ -69,7 +73,7 @@ Except where specified, attack surface reduction rules don't apply to any other
 ### Block executable content from email client and webmail
-This rule blocks the following file types from launching from email in Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
+This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com:
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
@ -85,7 +89,7 @@ GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
-This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
 Intune name: Office apps launching child processes
@ -95,7 +99,9 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 ### Block Office applications from creating executable content
-This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. 
 This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique, which often embeds an encoded binary file within the script that is then dropped and executed.
 Office apps won't be able to use extensions. Typically, these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
@ -107,9 +113,11 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899
 ### Block Office applications from injecting code into other processes
-This rule prevents Office apps, including Word, Excel, or PowerPoint, from injecting code into other processes. 
+A macro can allocate memory inside a suspended process and inject code into it, converting the benign process into a malicious one. Code injection doesn't have any known use for legitimate business purposes. This rule detects DLL and EXE injection, as well as process hollowing and thread hijacking.
-This helps prevent attacks where malware runs malicious code in an attempt to hide the activity from antivirus scanning engines.
+This rule helps prevent attacks where malware runs malicious code in an attempt to hide the activity from antivirus scanning engines.
 This rule applies to Word, Excel, and PowerPoint. 
 Intune name: Office apps injecting code into other processes (no exceptions)
@ -117,11 +125,11 @@ SCCM name: Block Office applications from injecting code into other processes
 GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-### Block JavaScript or VBScript From launching downloaded executable content
+### Block JavaScript or VBScript from launching downloaded executable content
 Malware often uses JavaScript and VBScript scripts to launch other malicious apps. 
-This rule prevents these scripts from launching apps, helping to prevent malicious use of the scripts to spread malware and infect machines.
+This rule prevents scripts from launching apps, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
 >[!IMPORTANT]
 >File and folder exclusions don't apply to this attack surface reduction rule.
@ -134,9 +142,9 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D
 ### Block execution of potentially obfuscated scripts
-Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. 
+Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
-This rule prevents potentially obfuscated scripts from running. 
+This rule prevents obfuscated scripts with suspicious behaviors from running. You can exclude scripts so they're allowed to run.
 Intune name: Obfuscated js/vbs/ps/macro code
@ -148,7 +156,7 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 Malware can use macro code in Office files to import and load Win32 DLLs, which the malware then uses to make API calls to allow further infection throughout the system.
-This rule attempts to block Office files that contain macro code that can import Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
+This rule blocks Office files containing macro code from importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
 Intune name: Win32 imports from Office macro code
@ -156,7 +164,7 @@ SCCM name: Block Win32 API calls from Office macros
 GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-### Block executable files from running unless they meet a prevalence, age, or trusted list criteria
+### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
 This rule blocks the following file types from launching unless they either meet prevalence or age criteria set by admins, or they're in a trusted list or exclusion list:
@ -189,7 +197,7 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
 >[!NOTE]
- >The coding in some apps enumerate all running processes and attempt opening them with exhaustive permissions. This causes the app to access LSASS even when it's not necessary. This rule denies the app's process open action and logs the details to the security event log. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+ >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
 Intune name: Flag credential stealing from the Windows local security authority subsystem
@ -198,6 +206,8 @@ SCCM name: Block credential stealing from the Windows local security authority s
 GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 ### Block process creations originating from PSExec and WMI commands
 This rule blocks process creations that are invoked externally by PSExec or WMI. You can legitimately use PSExec or WMI for computer management. Because the invoking process is external to the system, this rule can't determine which application invoked the process creation. Exclusions don't apply to this rule, so don't enable this rule if you're using a PSExec-based program or a WMI-based program like SCCM.
 This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
@ -230,10 +240,10 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 This rule prevents Outlook from creating child processes, including launching an app when a user double-clicks an attachment. 
-This is a typical malware behavior, especially for macro-based attacks that attempt to use Outlook to launch or download malicious executables.
+This is a typical malware behavior, especially for macro-based attacks that attempt to use Outlook to launch or download malicious executables. There are legitimate uses of this behavior, such as emails that contain a hyperlink that starts a browser session. Some common usages, like starting a browser session within an email, already have global exclusions.
 >[!NOTE]
->This rule applies to Outlook only.
+>This rule applies to Outlook and Outlook.com only.
 Intune name: Not applicable