From b706f52e368472036a56eadd66730212af2b2d48 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Fri, 25 Jan 2019 14:09:19 -0800 Subject: [PATCH 01/28] Rewrote ASR topics. --- .../windows-defender-atp/TOC.md | 1 - .../attack-surface-reduction-exploit-guard.md | 15 ++- .../enable-attack-surface-reduction.md | 124 +++++++++++++++++- 3 files changed, 129 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 3a7c584172..b8cfb0c4f9 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -195,7 +195,6 @@ #### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md) ##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md) #### [Attack surface reduction controls](../windows-defender-exploit-guard/enable-attack-surface-reduction.md) -##### [Customize attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md) #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index c66852c277..6db53d2fcf 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,6 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/17/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -20,19 +19,21 @@ ms.date: 10/17/2018 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction rules help prevent actions in apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. -Attack surface reduction rules each target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: +Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +Attack surface reduction rules each target specific behaviors that malware and malicious apps typically use to infect computers, including: - Executable files and scripts used in Office apps or web mail that attempt to download or run files - Scripts that are obfuscated or otherwise suspicious - Behaviors that apps undertake that are not usually initiated during normal day-to-day work -When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. +When a rule triggers, the Action Center displays a notification. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. -You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. +You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. ## Requirements @@ -66,7 +67,7 @@ The rules apply to the following Office apps: - Microsoft PowerPoint - Microsoft OneNote -The rules do not apply to any other Office apps. +Except where specified, the rules do not apply to any other Office apps. ### Rule: Block executable content from email client and webmail diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 2ba64377c3..2d6e86d1fb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,14 +11,132 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/17/2018 --- # Enable attack surface reduction rules -**Applies to:** +Attack surface reduction rules help prevent actions in apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. + +## Exclude files and folders from ASR rules + +You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. + +>[!WARNING] +>Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. +> +>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). + +You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. Exclusions apply to all rules that are enabled or are set to audit mode. + +Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). + +The procedures below for enabling ASR rules include instructions for how to exclude files and folders. + +## Enable and audit attack surface reduction rules + +You're most likely to use Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or MDM CSPs. + +For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md). + +Each ASR rule contains three settings: + +* Not configured: Disable the ASR rule +* Block: Enable the ASR rule +* Audit: Evaluate how the ASR rule would impact your organization if enabled + +For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md). + +### Enable ASR rules in Intune + +1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*. + +2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule. + +3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. + +4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one. + +### Enable ASR rules in SCCM + +For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy). + +### Enable ASR rules with group policy + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. + +4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: + - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: + - Block (enable ASR rule) = 1 + - Disable = 0 + - Audit = 2 + +![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) + +5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. + +### Enable ASR rules with PowerShell + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. + +2. Enter the following cmdlet: + + ```PowerShell + Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled + ``` + +You can enable the feature in audit mode using the following cmdlet: + +```PowerShell +Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode +``` +Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. + +>[!IMPORTANT> +>You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. +> +>In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: +> +>```PowerShell +>Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode +>``` + +You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + +>[!WARNING] +>`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. +>You can obtain a list of rules and their current state by using `Get-MpPreference` + +3. To exclude files and folders from ASR rules, enter the following cmdlet: + + ```PowerShell + Add-MpPreference -AttackSurfaceReductionOnlyExclusions "" + ``` + +Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. + +>[!IMPORTANT] +>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. + +### Enable ASR rules with MDM CSPs + +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. + +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. + +## Related topics + +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) +- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) + + + +**OLD TOPIC FOR COMPARISON** Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. From f8563c8c0789e1bc87cab683f4140b4e8e83a764 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 10:39:44 -0800 Subject: [PATCH 02/28] Rewrote ASR topics. --- .../attack-surface-reduction-exploit-guard.md | 35 ++---- .../enable-attack-surface-reduction.md | 116 +++--------------- 2 files changed, 26 insertions(+), 125 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 6db53d2fcf..584ec7aaf4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -78,9 +78,6 @@ This rule blocks the following file types from being run or launched from an ema - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - Script archive files ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block all Office applications from creating child processes Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. @@ -93,28 +90,18 @@ This rule targets typical behaviors used by suspicious and malicious add-ons and Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. - ### Rule: Block Office applications from injecting code into other processes - Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block JavaScript or VBScript From launching downloaded executable content JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. - ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block execution of potentially obfuscated scripts Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. @@ -147,9 +134,6 @@ This rule provides an extra layer of protection against ransomware. Executable f Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - >[!NOTE] >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. @@ -157,6 +141,9 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. +>[!IMPORTANT] +>File and folder exclusions do not apply to this ASR rule. + >[!WARNING] >[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] @@ -183,17 +170,17 @@ You can review the Windows event log to see events that are created when an atta 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. +2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. -2. On the left panel, under **Actions**, click **Import custom view...** +3. On the left panel, under **Actions**, click **Import custom view...** ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) -3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). +4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). -4. Click **OK**. +5. Click **OK**. -5. This will create a custom view that filters to only show the following events related to attack surface reduction rules: +6. This will create a custom view that filters to only show the following events related to attack surface reduction rules: Event ID | Description -|- @@ -201,8 +188,6 @@ You can review the Windows event log to see events that are created when an atta 1122 | Event when rule fires in Audit-mode 1121 | Event when rule fires in Block-mode - - ### Event fields - **ID**: matches with the Rule-ID that triggered the block/audit. @@ -211,11 +196,9 @@ You can review the Windows event log to see events that are created when an atta - **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus - ## In this section + ## Related topics Topic | Description ---|--- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. -[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. - diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 2d6e86d1fb..ca38fa84c6 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -28,15 +28,21 @@ You can exclude files and folders from being evaluated by most attack surface re > >If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). -You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. Exclusions apply to all rules that are enabled or are set to audit mode. +>[!IMPORTANT] +>File and folder exclusions do not apply to the **Block process creations originating from PSExec and WMI commands** ASR rule. -Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. Exclusions apply to all ASR rules that are enabled or are set to audit mode, except for the **Block process creations originating from PSExec and WMI commands**. -The procedures below for enabling ASR rules include instructions for how to exclude files and folders. +ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). + +The following procedures for enabling ASR rules include instructions for how to exclude files and folders. ## Enable and audit attack surface reduction rules -You're most likely to use Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or MDM CSPs. +It's best to use an enterprise-level management platform like Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or third-party mobile device management (MDM) CSPs. + +>[!WARNING] +>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy or PowerShell settings on startup. For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md). @@ -62,7 +68,10 @@ For further details on how audit mode works and when to use it, see [Audit Windo For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy). -### Enable ASR rules with group policy +### Enable ASR rules with Group Policy + +>[!WARNING] +>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup. 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -82,6 +91,9 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr ### Enable ASR rules with PowerShell +>[!WARNING] +>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. + 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: @@ -133,97 +145,3 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) - [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) - - - -**OLD TOPIC FOR COMPARISON** - -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. - -## Enable and audit attack surface reduction rules - -You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode. - -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). - -Attack surface reduction rules are identified by their unique rule ID. - -You can manually add the rules by using the GUIDs in the following table: - -Rule description | GUID --|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 -Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c -Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 -Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - -See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. - -### Use Group Policy to enable or audit attack surface reduction rules - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. - -4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: - - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - - Block mode = 1 - - Disabled = 0 - - Audit mode = 2 - -![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) - -### Use PowerShell to enable or audit attack surface reduction rules - -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** -2. Enter the following cmdlet: - - ```PowerShell - Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled - ``` - -You can enable the feature in audit mode using the following cmdlet: - -```PowerShell -Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode -``` -Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. - ->[!IMPORTANT> ->You must specify the state individually for each rule, but you can combine rules and states in a comma seperated list. -> ->In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: -> ->```PowerShell ->Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode ->``` - - -You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. - ->[!WARNING] ->`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. ->You can obtain a list of rules and their current state by using `Get-MpPreference` - - -### Use MDM CSPs to enable attack surface reduction rules - -Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. - -## Related topics - -- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) -- [Customize attack surface reduction](customize-attack-surface-reduction.md) -- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) From bb08591be645ff8cf216260c4f63f1b955349580 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 10:41:52 -0800 Subject: [PATCH 03/28] Removed mention of EG eval package. --- .../attack-surface-reduction-exploit-guard.md | 35 +------------------ 1 file changed, 1 insertion(+), 34 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 584ec7aaf4..ca19171d66 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -67,11 +67,10 @@ The rules apply to the following Office apps: - Microsoft PowerPoint - Microsoft OneNote -Except where specified, the rules do not apply to any other Office apps. +Except where specified, ASR rules do not apply to any other Office apps. ### Rule: Block executable content from email client and webmail - This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): - Executable files (such as .exe, .dll, or .scr) @@ -164,38 +163,6 @@ This is a typical malware behavior, especially for macro-based attacks that atte This rule blocks Adobe Reader from creating child processes. -## Review attack surface reduction rule events in Windows Event Viewer - -You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited): - -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. - -2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -3. On the left panel, under **Actions**, click **Import custom view...** - - ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) - -4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -5. Click **OK**. - -6. This will create a custom view that filters to only show the following events related to attack surface reduction rules: - - Event ID | Description --|- -5007 | Event when settings are changed -1122 | Event when rule fires in Audit-mode -1121 | Event when rule fires in Block-mode - -### Event fields - -- **ID**: matches with the Rule-ID that triggered the block/audit. -- **Detection time**: Time of detection -- **Process Name**: The process that performed the "operation" that was blocked/audited -- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus - - ## Related topics Topic | Description From 6d8c2e2140445008eefa21fb89d7de937e89f00c Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 11:04:49 -0800 Subject: [PATCH 04/28] Remove requirements section. --- .../attack-surface-reduction-exploit-guard.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index ca19171d66..00c21827f8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -35,10 +35,6 @@ When a rule triggers, the Action Center displays a notification. You can [custom You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. -## Requirements - -Attack surface reduction rules require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). - ## Attack surface reduction rules The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: From 69f02bcf28bfccfd175457f6cf526a2007b78d43 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 11:06:37 -0800 Subject: [PATCH 05/28] Minor change. --- .../attack-surface-reduction-exploit-guard.md | 2 +- .../enable-attack-surface-reduction.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 00c21827f8..8c21059f08 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -19,7 +19,7 @@ ms.author: v-anbic - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Attack surface reduction rules help prevent actions in apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. +Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index ca38fa84c6..57f3a3eebf 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -15,7 +15,7 @@ ms.author: v-anbic # Enable attack surface reduction rules -Attack surface reduction rules help prevent actions in apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. +Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. From 2006c842f344cab00784a04b0de08f14a018d211 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 11:27:58 -0800 Subject: [PATCH 06/28] Added PowerShell cmdlet. --- .../enable-attack-surface-reduction.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 57f3a3eebf..94fd50bf15 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -85,7 +85,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr - Disable = 0 - Audit = 2 -![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) + ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. @@ -102,14 +102,19 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled ``` -You can enable the feature in audit mode using the following cmdlet: +To enable ASR rules in audit mode, use the following cmdlet: ```PowerShell Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode ``` -Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. ->[!IMPORTANT> +To turn off ASR rules, use the following cmdlet: + +```PowerShell +Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled +``` + +>[!IMPORTANT] >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. > >In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: @@ -124,7 +129,7 @@ You can also the `Add-MpPreference` PowerShell verb to add new rules to the exis >`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. >You can obtain a list of rules and their current state by using `Get-MpPreference` -3. To exclude files and folders from ASR rules, enter the following cmdlet: +3. To exclude files and folders from ASR rules, use the following cmdlet: ```PowerShell Add-MpPreference -AttackSurfaceReductionOnlyExclusions "" From d1b978c17192c5e9cf58c124376e7ef9b31cb6d6 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 11:55:29 -0800 Subject: [PATCH 07/28] Added examples for MDM CSP paths and values. --- .../enable-attack-surface-reduction.md | 75 +++++++++++++------ 1 file changed, 51 insertions(+), 24 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 94fd50bf15..1420c2c6e7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -81,8 +81,8 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr 4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - - Block (enable ASR rule) = 1 - Disable = 0 + - Block (enable ASR rule) = 1 - Audit = 2 ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) @@ -102,32 +102,32 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled ``` -To enable ASR rules in audit mode, use the following cmdlet: + To enable ASR rules in audit mode, use the following cmdlet: -```PowerShell -Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode -``` + ```PowerShell + Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode + ``` -To turn off ASR rules, use the following cmdlet: + To turn off ASR rules, use the following cmdlet: -```PowerShell -Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled -``` + ```PowerShell + Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled + ``` ->[!IMPORTANT] ->You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. -> ->In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: -> ->```PowerShell ->Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode ->``` + >[!IMPORTANT] + >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. + > + >In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: + > + >```PowerShell + >Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode + >``` -You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. ->[!WARNING] ->`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. ->You can obtain a list of rules and their current state by using `Get-MpPreference` + >[!WARNING] + >`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. + >You can obtain a list of rules and their current state by using `Get-MpPreference` 3. To exclude files and folders from ASR rules, use the following cmdlet: @@ -135,17 +135,44 @@ You can also the `Add-MpPreference` PowerShell verb to add new rules to the exis Add-MpPreference -AttackSurfaceReductionOnlyExclusions "" ``` -Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. + Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. ->[!IMPORTANT] ->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. + >[!IMPORTANT] + >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. ### Enable ASR rules with MDM CSPs Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. +The following is a sample for reference, using the [GUID value for the ASR rule](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). The values to enable, disable, or enable in audit mode are: + +- Disable = 0 +- Block (enable ASR rule) = 1 +- Audit = 2 + +```OMA-URI path +./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules +``` + +```OMA-URI value +{75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 +``` + Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. +Example: + +```OMA-URI path +./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions +``` + +```OMA-URI value +c:\path|e:\path|c:\Whitelisted.exe +``` + +>[!NOTE] +>Be sure to enter OMA-URI values without spaces. + ## Related topics - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) From 7487c99ab466a797752599c28cca81474a35f5b4 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 12:28:13 -0800 Subject: [PATCH 08/28] Added Intune and SCCM ASR rule names. --- .../attack-surface-reduction-exploit-guard.md | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 8c21059f08..3ad8731515 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -67,6 +67,10 @@ Except where specified, ASR rules do not apply to any other Office apps. ### Rule: Block executable content from email client and webmail +Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) +SCCM name: Block executable content from email client and webmail +GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 + This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): - Executable files (such as .exe, .dll, or .scr) @@ -75,41 +79,69 @@ This rule blocks the following file types from being run or launched from an ema ### Rule: Block all Office applications from creating child processes +Intune name: Office apps launching child processes +SCCM name: Block Office application from creating child processes +GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A + Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. ### Rule: Block Office applications from creating executable content +Intune name: Office apps/macros creating executable content +SCCM name: Block Office applications from creating executable content +GUID: 3B576869-A4EC-4529-8536-B80A7769E899 + This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. ### Rule: Block Office applications from injecting code into other processes +Intune name: Office apps injecting code into other processes (no exceptions) +SCCM name: Block Office applications from injecting code into other processes +GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 + Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. ### Rule: Block JavaScript or VBScript From launching downloaded executable content +Intune name: js/vbs executing payload downloaded from Internet (no exceptions) +SCCM name: Block JavaScript or VBScript from launching downloaded executable content +GUID: D3E037E1-3EB8-44C8-A917-57927947596D + JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. ### Rule: Block execution of potentially obfuscated scripts +Intune name: Obfuscated js/vbs/ps/macro code +SCCM name: Block execution of potentially obfuscated scripts. +GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC + Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. ### Rule: Block Win32 API calls from Office macro +Intune name: Win32 imports from Office macro code +SCCM name: Block Win32 API calls from Office macros +GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B + Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. ### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria + +Intune name: Executables that don't meet a prevalence, age, or trusted list criteria +SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria +GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: @@ -119,6 +151,10 @@ This rule blocks the following file types from being run or launched unless they >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. ### Rule: Use advanced protection against ransomware + +Intune name: Advanced ransomware protection +SCCM name: Use advanced protection against ransomware +GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. @@ -126,6 +162,10 @@ This rule provides an extra layer of protection against ransomware. Executable f >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. ### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) + +Intune name: Flag credential stealing from the Windows local security authority subsystem +SCCM name: Block credential stealing from the Windows local security authority subsystem +GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. @@ -133,6 +173,10 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. ### Rule: Block process creations originating from PSExec and WMI commands + +Intune name: Process creation from PSExec and WMI commands +SCCM name: Not applicable +GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. @@ -143,6 +187,10 @@ This rule blocks processes through PsExec and WMI commands from running, to prev >[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] ### Rule: Block untrusted and unsigned processes that run from USB + +Intune name: Untrusted and unsigned processes that run from USB +SCCM name: Block untrusted and unsigned processes that run from USB +GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: @@ -151,12 +199,20 @@ With this rule, admins can prevent unsigned or untrusted executable files from r ### Rule: Block Office communication applications from creating child processes +Intune name: Not applicable +SCCM name: Not applicable +GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 + Office communication apps will not be allowed to create child processes. This includes Outlook. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. ### Rule: Block Adobe Reader from creating child processes +Intune name: Not applicable +SCCM name: Not applicable +GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c + This rule blocks Adobe Reader from creating child processes. ## Related topics From 4a6e4c38deb7ee03f6fdd811badb78152ff57aec Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 12:31:22 -0800 Subject: [PATCH 09/28] Changed related topics. --- .../attack-surface-reduction-exploit-guard.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 3ad8731515..f9f1209414 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -215,9 +215,7 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c This rule blocks Adobe Reader from creating child processes. - ## Related topics +## Related topics -Topic | Description ----|--- -[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. -[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. +- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) \ No newline at end of file From 1993331377e6e5c927a1213b8647fdf59ae029a6 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 12:36:00 -0800 Subject: [PATCH 10/28] Fixed formatting --- .../enable-attack-surface-reduction.md | 24 +++++++------------ 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 1420c2c6e7..8b5b458d09 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -144,31 +144,23 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. -The following is a sample for reference, using the [GUID value for the ASR rule](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). The values to enable, disable, or enable in audit mode are: +The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). + +OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules +Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 + +The values to enable, disable, or enable in audit mode are: - Disable = 0 - Block (enable ASR rule) = 1 - Audit = 2 -```OMA-URI path -./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules -``` - -```OMA-URI value -{75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 -``` - Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. Example: -```OMA-URI path -./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions -``` - -```OMA-URI value -c:\path|e:\path|c:\Whitelisted.exe -``` +OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions +Value: c:\path|e:\path|c:\Whitelisted.exe >[!NOTE] >Be sure to enter OMA-URI values without spaces. From 2d71afa16ef03d6293d21eed125bcf61cd2f8ba3 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 12:50:54 -0800 Subject: [PATCH 11/28] Fixed formatting. --- .../attack-surface-reduction-exploit-guard.md | 140 +++++++++++------- 1 file changed, 84 insertions(+), 56 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index f9f1209414..7488e30a21 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -67,81 +67,91 @@ Except where specified, ASR rules do not apply to any other Office apps. ### Rule: Block executable content from email client and webmail -Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) -SCCM name: Block executable content from email client and webmail -GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 - This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - Script archive files -### Rule: Block all Office applications from creating child processes +Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) -Intune name: Office apps launching child processes -SCCM name: Block Office application from creating child processes -GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A +SCCM name: Block executable content from email client and webmail + +GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 + +### Rule: Block all Office applications from creating child processes Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. -### Rule: Block Office applications from creating executable content +Intune name: Office apps launching child processes -Intune name: Office apps/macros creating executable content -SCCM name: Block Office applications from creating executable content -GUID: 3B576869-A4EC-4529-8536-B80A7769E899 +SCCM name: Block Office application from creating child processes + +GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A + +### Rule: Block Office applications from creating executable content This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. -### Rule: Block Office applications from injecting code into other processes +Intune name: Office apps/macros creating executable content -Intune name: Office apps injecting code into other processes (no exceptions) -SCCM name: Block Office applications from injecting code into other processes -GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +SCCM name: Block Office applications from creating executable content + +GUID: 3B576869-A4EC-4529-8536-B80A7769E899 + +### Rule: Block Office applications from injecting code into other processes Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. -### Rule: Block JavaScript or VBScript From launching downloaded executable content +Intune name: Office apps injecting code into other processes (no exceptions) -Intune name: js/vbs executing payload downloaded from Internet (no exceptions) -SCCM name: Block JavaScript or VBScript from launching downloaded executable content -GUID: D3E037E1-3EB8-44C8-A917-57927947596D +SCCM name: Block Office applications from injecting code into other processes + +GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 + +### Rule: Block JavaScript or VBScript From launching downloaded executable content JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. -### Rule: Block execution of potentially obfuscated scripts +Intune name: js/vbs executing payload downloaded from Internet (no exceptions) -Intune name: Obfuscated js/vbs/ps/macro code -SCCM name: Block execution of potentially obfuscated scripts. -GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +SCCM name: Block JavaScript or VBScript from launching downloaded executable content + +GUID: D3E037E1-3EB8-44C8-A917-57927947596D + +### Rule: Block execution of potentially obfuscated scripts Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. -### Rule: Block Win32 API calls from Office macro +Intune name: Obfuscated js/vbs/ps/macro code -Intune name: Win32 imports from Office macro code -SCCM name: Block Win32 API calls from Office macros -GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +SCCM name: Block execution of potentially obfuscated scripts. + +GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC + +### Rule: Block Win32 API calls from Office macro Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. -### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria +Intune name: Win32 imports from Office macro code -Intune name: Executables that don't meet a prevalence, age, or trusted list criteria -SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria -GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 +SCCM name: Block Win32 API calls from Office macros + +GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B + +### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: @@ -149,34 +159,40 @@ This rule blocks the following file types from being run or launched unless they >[!NOTE] >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. + +Intune name: Executables that don't meet a prevalence, age, or trusted list criteria + +SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria + +GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 ### Rule: Use advanced protection against ransomware - -Intune name: Advanced ransomware protection -SCCM name: Use advanced protection against ransomware -GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. >[!NOTE] >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. + +Intune name: Advanced ransomware protection + +SCCM name: Use advanced protection against ransomware + +GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 ### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) - -Intune name: Flag credential stealing from the Windows local security authority subsystem -SCCM name: Block credential stealing from the Windows local security authority subsystem -GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. >[!NOTE] >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. -### Rule: Block process creations originating from PSExec and WMI commands +Intune name: Flag credential stealing from the Windows local security authority subsystem -Intune name: Process creation from PSExec and WMI commands -SCCM name: Not applicable -GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c +SCCM name: Block credential stealing from the Windows local security authority subsystem + +GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 + +### Rule: Block process creations originating from PSExec and WMI commands This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. @@ -185,36 +201,48 @@ This rule blocks processes through PsExec and WMI commands from running, to prev >[!WARNING] >[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] + +Intune name: Process creation from PSExec and WMI commands + +SCCM name: Not applicable + +GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c ### Rule: Block untrusted and unsigned processes that run from USB - -Intune name: Untrusted and unsigned processes that run from USB -SCCM name: Block untrusted and unsigned processes that run from USB -GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block Office communication applications from creating child processes +Intune name: Untrusted and unsigned processes that run from USB -Intune name: Not applicable -SCCM name: Not applicable -GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 +SCCM name: Block untrusted and unsigned processes that run from USB + +GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 + +### Rule: Block Office communication applications from creating child processes Office communication apps will not be allowed to create child processes. This includes Outlook. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. +Intune name: Not applicable + +SCCM name: Not applicable + +GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 + ### Rule: Block Adobe Reader from creating child processes -Intune name: Not applicable -SCCM name: Not applicable -GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - This rule blocks Adobe Reader from creating child processes. +Intune name: Not applicable + +SCCM name: Not applicable + +GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c + ## Related topics - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) From ad1d83f77ceae417acd3d5728d86b8955947fe6f Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 13:05:35 -0800 Subject: [PATCH 12/28] Fixed formatting. --- .../enable-attack-surface-reduction.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 8b5b458d09..333831181a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -87,7 +87,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) -5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. ### Enable ASR rules with PowerShell @@ -147,6 +147,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules + Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 The values to enable, disable, or enable in audit mode are: @@ -160,6 +161,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio Example: OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions + Value: c:\path|e:\path|c:\Whitelisted.exe >[!NOTE] From 20351153537274d59be2ae076d22cf1d24be0b37 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 15:03:58 -0800 Subject: [PATCH 13/28] Incorp tech review. --- .../attack-surface-reduction-exploit-guard.md | 3 +++ .../enable-attack-surface-reduction.md | 11 ++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 7488e30a21..0c63e58ce9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -121,6 +121,9 @@ JavaScript and VBScript scripts can be used by malware to launch other malicious This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. +>[!IMPORTANT] +>File and folder exclusions do not apply to this ASR rule. + Intune name: js/vbs executing payload downloaded from Internet (no exceptions) SCCM name: Block JavaScript or VBScript from launching downloaded executable content diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 333831181a..697c863a5c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -29,9 +29,12 @@ You can exclude files and folders from being evaluated by most attack surface re >If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). >[!IMPORTANT] ->File and folder exclusions do not apply to the **Block process creations originating from PSExec and WMI commands** ASR rule. +>File and folder exclusions do not apply to the following ASR rules: +> +>- Block process creations originating from PSExec and WMI commands +>- Block JavaScript or VBScript from launching downloaded executable content -You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. Exclusions apply to all ASR rules that are enabled or are set to audit mode, except for the **Block process creations originating from PSExec and WMI commands**. +You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). @@ -60,7 +63,9 @@ For further details on how audit mode works and when to use it, see [Audit Windo 2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule. -3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. +3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: + + 4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one. From e078156b9d96439f90c15a429b4a91d94796eb63 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 12:29:42 -0800 Subject: [PATCH 14/28] Added more description to Outlook and Adobe asr rules. --- .../attack-surface-reduction-exploit-guard.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 0c63e58ce9..69fa1dad4e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -17,7 +17,7 @@ ms.author: v-anbic **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. @@ -53,7 +53,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c The rules apply to the following Office apps: @@ -105,7 +105,7 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899 ### Rule: Block Office applications from injecting code into other processes -Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. +Office apps, including Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. @@ -146,7 +146,7 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. -This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. +This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. Intune name: Win32 imports from Office macro code @@ -224,11 +224,14 @@ SCCM name: Block untrusted and unsigned processes that run from USB GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -### Rule: Block Office communication applications from creating child processes +### Rule: Block Office communication application from creating child processes -Office communication apps will not be allowed to create child processes. This includes Outlook. +This rule prevents Outlook from creating child processes, including launching an app when a user double-clicks an attachment. -This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. +This is a typical malware behavior, especially for macro-based attacks that attempt to use Outlook to launch or download malicious executables. + +>[!NOTE] +>This rule applies to Outlook only. Intune name: Not applicable @@ -240,6 +243,8 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 This rule blocks Adobe Reader from creating child processes. +This helps protect against heap-based buffer overflow vulnerabilities in PDF files, which attackers could use to launch malicious code. It also mitigates against potential JavaScript and Adobe Flash engine vulnerabilities that could allow attackers to insert and execute malicious code in PDF documents. + Intune name: Not applicable SCCM name: Not applicable From f93df55c574053bb6271eb1f158ce78449dfd48a Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 12:40:38 -0800 Subject: [PATCH 15/28] Edited headings for clarity. --- .../attack-surface-reduction-exploit-guard.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 69fa1dad4e..26f9a8fbc2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -1,6 +1,6 @@ --- title: Use attack surface reduction rules to prevent malware infection -description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware +description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -21,7 +21,7 @@ ms.author: v-anbic Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. +To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with attack surface reduction rules. Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). @@ -63,9 +63,9 @@ The rules apply to the following Office apps: - Microsoft PowerPoint - Microsoft OneNote -Except where specified, ASR rules do not apply to any other Office apps. +Except where specified, attack surface reduction rules do not apply to any other Office apps. -### Rule: Block executable content from email client and webmail +### Block executable content from email client and webmail This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): @@ -79,7 +79,7 @@ SCCM name: Block executable content from email client and webmail GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -### Rule: Block all Office applications from creating child processes +### Block all Office applications from creating child processes Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. @@ -91,7 +91,7 @@ SCCM name: Block Office application from creating child processes GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A -### Rule: Block Office applications from creating executable content +### Block Office applications from creating executable content This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. @@ -103,7 +103,7 @@ SCCM name: Block Office applications from creating executable content GUID: 3B576869-A4EC-4529-8536-B80A7769E899 -### Rule: Block Office applications from injecting code into other processes +### Block Office applications from injecting code into other processes Office apps, including Word, Excel, or PowerPoint, will not be able to inject code into other processes. @@ -115,14 +115,14 @@ SCCM name: Block Office applications from injecting code into other processes GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -### Rule: Block JavaScript or VBScript From launching downloaded executable content +### Block JavaScript or VBScript From launching downloaded executable content JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. >[!IMPORTANT] ->File and folder exclusions do not apply to this ASR rule. +>File and folder exclusions do not apply to this attack surface reduction rule. Intune name: js/vbs executing payload downloaded from Internet (no exceptions) @@ -130,7 +130,7 @@ SCCM name: Block JavaScript or VBScript from launching downloaded executable con GUID: D3E037E1-3EB8-44C8-A917-57927947596D -### Rule: Block execution of potentially obfuscated scripts +### Block execution of potentially obfuscated scripts Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. @@ -142,7 +142,7 @@ SCCM name: Block execution of potentially obfuscated scripts. GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -### Rule: Block Win32 API calls from Office macro +### Block Win32 API calls from Office macro Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. @@ -154,7 +154,7 @@ SCCM name: Block Win32 API calls from Office macros GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria +### Block executable files from running unless they meet a prevalence, age, or trusted list criteria This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: @@ -169,7 +169,7 @@ SCCM name: Block executable files from running unless they meet a prevalence, ag GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 -### Rule: Use advanced protection against ransomware +### Use advanced protection against ransomware This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. @@ -182,12 +182,12 @@ SCCM name: Use advanced protection against ransomware GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 -### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) +### Block credential stealing from the Windows local security authority subsystem (lsass.exe) Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. >[!NOTE] - >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. + >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. This rule will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. Intune name: Flag credential stealing from the Windows local security authority subsystem @@ -195,12 +195,12 @@ SCCM name: Block credential stealing from the Windows local security authority s GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -### Rule: Block process creations originating from PSExec and WMI commands +### Block process creations originating from PSExec and WMI commands This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. >[!IMPORTANT] ->File and folder exclusions do not apply to this ASR rule. +>File and folder exclusions do not apply to this attack surface reduction rule. >[!WARNING] >[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] @@ -211,7 +211,7 @@ SCCM name: Not applicable GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c -### Rule: Block untrusted and unsigned processes that run from USB +### Block untrusted and unsigned processes that run from USB With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: @@ -224,7 +224,7 @@ SCCM name: Block untrusted and unsigned processes that run from USB GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -### Rule: Block Office communication application from creating child processes +### Block Office communication application from creating child processes This rule prevents Outlook from creating child processes, including launching an app when a user double-clicks an attachment. @@ -239,7 +239,7 @@ SCCM name: Not applicable GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 -### Rule: Block Adobe Reader from creating child processes +### Block Adobe Reader from creating child processes This rule blocks Adobe Reader from creating child processes. From 9fc36326289a28e84ebdc471b9cbe2ab0a42c0a9 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 13:02:16 -0800 Subject: [PATCH 16/28] Fixed broken links. --- .../windows-defender-exploit-guard/troubleshoot-asr.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 5711270ae7..46df2bf21d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -11,7 +11,6 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/18/2018 --- # Troubleshoot attack surface reduction rules @@ -40,7 +39,7 @@ Attack surface reduction rules will only work on devices with the following cond > - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update). > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. -> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules). +> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. @@ -61,7 +60,7 @@ Follow the instructions in [Use the demo tool to see how attack surface reductio Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run. -1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules). +1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed). 3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. From 15e8b7f17592ff9d83c57227d61780a207090f48 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 13:25:04 -0800 Subject: [PATCH 17/28] Fixed formatting. --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 26f9a8fbc2..9d38e65a82 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -203,7 +203,7 @@ This rule blocks processes through PsExec and WMI commands from running, to prev >File and folder exclusions do not apply to this attack surface reduction rule. >[!WARNING] ->[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] +>Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly. Intune name: Process creation from PSExec and WMI commands From 7e4849b99efb893ca0bc1bbb08357bf16171da48 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 14:07:30 -0800 Subject: [PATCH 18/28] Edited for voice and tone. --- .../attack-surface-reduction-exploit-guard.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 9d38e65a82..2f93a09df1 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -21,7 +21,7 @@ ms.author: v-anbic Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with attack surface reduction rules. +To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). With an E3 license, you won't have these advanced capabilities, but you can develop your own monitoring and reporting tools to use in conjunction with attack surface reduction rules. Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). @@ -63,11 +63,11 @@ The rules apply to the following Office apps: - Microsoft PowerPoint - Microsoft OneNote -Except where specified, attack surface reduction rules do not apply to any other Office apps. +Except where specified, attack surface reduction rules don't apply to any other Office apps. ### Block executable content from email client and webmail -This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): +This rule blocks the following file types from launching from email in Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) @@ -81,7 +81,7 @@ GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 ### Block all Office applications from creating child processes -Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. @@ -95,7 +95,7 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. -Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. +Office apps won't be able to use extensions. Typically, these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. Intune name: Office apps/macros creating executable content @@ -105,9 +105,9 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899 ### Block Office applications from injecting code into other processes -Office apps, including Word, Excel, or PowerPoint, will not be able to inject code into other processes. +This rule prevents Office apps, including Word, Excel, or PowerPoint, from injecting code into other processes. -This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. +This helps prevent attacks where malware runs malicious code in an attempt to hide the activity from antivirus scanning engines. Intune name: Office apps injecting code into other processes (no exceptions) @@ -117,12 +117,12 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 ### Block JavaScript or VBScript From launching downloaded executable content -JavaScript and VBScript scripts can be used by malware to launch other malicious apps. +Malware often uses JavaScript and VBScript scripts to launch other malicious apps. -This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. +This rule prevents these scripts from launching apps, helping to prevent malicious use of the scripts to spread malware and infect machines. >[!IMPORTANT] ->File and folder exclusions do not apply to this attack surface reduction rule. +>File and folder exclusions don't apply to this attack surface reduction rule. Intune name: js/vbs executing payload downloaded from Internet (no exceptions) @@ -134,7 +134,7 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. -This rule prevents scripts that appear to be obfuscated from running. +This rule prevents potentially obfuscated scripts from running. Intune name: Obfuscated js/vbs/ps/macro code @@ -144,9 +144,9 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC ### Block Win32 API calls from Office macro -Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. +Malware can use macro code in Office files to import and load Win32 DLLs, which the malware then uses to make API calls to allow further infection throughout the system. -This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. +This rule attempts to block Office files that contain macro code that can import Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. Intune name: Win32 imports from Office macro code @@ -156,7 +156,7 @@ GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B ### Block executable files from running unless they meet a prevalence, age, or trusted list criteria -This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: +This rule blocks the following file types from launching unless they either meet prevalence or age criteria set by admins, or they're in a trusted list or exclusion list: - Executable files (such as .exe, .dll, or .scr) @@ -171,7 +171,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 ### Use advanced protection against ransomware -This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. +This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list. >[!NOTE] >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. @@ -187,7 +187,7 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. >[!NOTE] - >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. This rule will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. + >The coding in some apps enumerate all running processes and attempt opening them with exhaustive permissions. This causes the app to access LSASS even when it's not necessary. This rule denies the app's process open action and logs the details to the security event log. By itself, this event log entry doesn't necessarily indicate a malicious threat. Intune name: Flag credential stealing from the Windows local security authority subsystem @@ -203,7 +203,7 @@ This rule blocks processes through PsExec and WMI commands from running, to prev >File and folder exclusions do not apply to this attack surface reduction rule. >[!WARNING] ->Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly. +>Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly. Intune name: Process creation from PSExec and WMI commands From d579eaa2aee94c6219cd8bdf992d2921a5dc467f Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 14:16:30 -0800 Subject: [PATCH 19/28] More voice and tone edits. --- .../attack-surface-reduction-exploit-guard.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 2f93a09df1..cc148ac3ab 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -28,16 +28,16 @@ Attack surface reduction rules work best with [Windows Defender Advanced Threat Attack surface reduction rules each target specific behaviors that malware and malicious apps typically use to infect computers, including: - Executable files and scripts used in Office apps or web mail that attempt to download or run files -- Scripts that are obfuscated or otherwise suspicious -- Behaviors that apps undertake that are not usually initiated during normal day-to-day work +- Obfuscated or otherwise suspicious scripts +- Behaviors that apps don't usually initiate during normal day-to-day work -When a rule triggers, the Action Center displays a notification. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. +Triggered rules display a notification. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. -You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. +You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization once enabled. ## Attack surface reduction rules -The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: +The following sections describe each attack surface reduction rule. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy: Rule name | GUID -|- @@ -56,7 +56,7 @@ Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9 Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -The rules apply to the following Office apps: +In general, attack surface reduction rules apply to the following Office apps: - Microsoft Word - Microsoft Excel From 35bd5f5aac4663dfaeccafb42ffe25e4148a4961 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 14:21:04 -0800 Subject: [PATCH 20/28] More voice and tone edits. --- .../attack-surface-reduction-exploit-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index cc148ac3ab..1325f5652d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -21,11 +21,11 @@ ms.author: v-anbic Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). With an E3 license, you won't have these advanced capabilities, but you can develop your own monitoring and reporting tools to use in conjunction with attack surface reduction rules. +To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). -Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +With an E3 license, you won't have these advanced capabilities, but you can develop your own monitoring and reporting tools to use in conjunction with attack surface reduction rules. -Attack surface reduction rules each target specific behaviors that malware and malicious apps typically use to infect computers, including: +Attack surface reduction rules target specific behaviors that malware and malicious apps typically use to infect computers, including: - Executable files and scripts used in Office apps or web mail that attempt to download or run files - Obfuscated or otherwise suspicious scripts From 765be674a9ca1e1e9739594394d9d6c9a8325dff Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 14:26:24 -0800 Subject: [PATCH 21/28] Added link. --- .../attack-surface-reduction-exploit-guard.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 1325f5652d..f66d586623 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -19,7 +19,7 @@ ms.author: v-anbic - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. +Attack surface reduction rules help prevent malware from using actions and apps to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). @@ -33,7 +33,9 @@ Attack surface reduction rules target specific behaviors that malware and malici Triggered rules display a notification. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. -You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization once enabled. +You can set attack surface reduction rules in [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how they would impact your organization once enabled. + +For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). ## Attack surface reduction rules From 23f1b21c5dbe893af2f84c955f7f639cd9fdfc1b Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 14:27:27 -0800 Subject: [PATCH 22/28] Fixed typo. --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index f66d586623..c2447c32d1 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -33,7 +33,7 @@ Attack surface reduction rules target specific behaviors that malware and malici Triggered rules display a notification. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. -You can set attack surface reduction rules in [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how they would impact your organization once enabled. +You can set attack surface reduction rules in [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how they'd impact your organization once enabled. For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). From 6a59a10670fa5221b0df05998d4ef4f07bf570dc Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 16:41:10 -0800 Subject: [PATCH 23/28] Incorp tech review. --- .../attack-surface-reduction-exploit-guard.md | 50 +++++++++++-------- 1 file changed, 30 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index c2447c32d1..dee97f80a8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -19,11 +19,9 @@ ms.author: v-anbic - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Attack surface reduction rules help prevent malware from using actions and apps to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. +Attack surface reduction rules help prevent malware from using actions and apps to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). - -With an E3 license, you won't have these advanced capabilities, but you can develop your own monitoring and reporting tools to use in conjunction with attack surface reduction rules. +To use attack surface reduction rules, you Windows 10 Enterprise E3 license or higher. An E5 license allows you to take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) and the real-time views and configuration of the M365 dashboard. These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to view attack surface reduction rule events in Event Viewer. Attack surface reduction rules target specific behaviors that malware and malicious apps typically use to infect computers, including: @@ -31,7 +29,11 @@ Attack surface reduction rules target specific behaviors that malware and malici - Obfuscated or otherwise suspicious scripts - Behaviors that apps don't usually initiate during normal day-to-day work -Triggered rules display a notification. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. +Because legitimate, line-of-business applications might also use some of these behaviors and apps, you can [exclude them from attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules). + +You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without impacting productivity. + +Triggered rules display a notification on the device. The notification also displays in the Windows Defender ATP Security Center and on the M365 console. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can set attack surface reduction rules in [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how they'd impact your organization once enabled. @@ -39,7 +41,7 @@ For information about configuring attack surface reduction rules, see [Enable at ## Attack surface reduction rules -The following sections describe each attack surface reduction rule. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy: +The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy: Rule name | GUID -|- @@ -58,6 +60,8 @@ Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9 Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. They don't apply to any other Office apps like Flow or Teams. + In general, attack surface reduction rules apply to the following Office apps: - Microsoft Word @@ -69,7 +73,7 @@ Except where specified, attack surface reduction rules don't apply to any other ### Block executable content from email client and webmail -This rule blocks the following file types from launching from email in Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): +This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com: - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) @@ -85,7 +89,7 @@ GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. -This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. +This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings. Intune name: Office apps launching child processes @@ -95,7 +99,9 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A ### Block Office applications from creating executable content -This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. +This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. + +This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique, which often embeds an encoded binary file within the script that is then dropped and executed. Office apps won't be able to use extensions. Typically, these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. @@ -107,9 +113,11 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899 ### Block Office applications from injecting code into other processes -This rule prevents Office apps, including Word, Excel, or PowerPoint, from injecting code into other processes. +A macro can allocate memory inside a suspended process and inject code into it, converting the benign process into a malicious one. Code injection doesn't have any known use for legitimate business purposes. This rule detects DLL and EXE injection, as well as process hollowing and thread hijacking. -This helps prevent attacks where malware runs malicious code in an attempt to hide the activity from antivirus scanning engines. +This rule helps prevent attacks where malware runs malicious code in an attempt to hide the activity from antivirus scanning engines. + +This rule applies to Word, Excel, and PowerPoint. Intune name: Office apps injecting code into other processes (no exceptions) @@ -117,11 +125,11 @@ SCCM name: Block Office applications from injecting code into other processes GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -### Block JavaScript or VBScript From launching downloaded executable content +### Block JavaScript or VBScript from launching downloaded executable content Malware often uses JavaScript and VBScript scripts to launch other malicious apps. -This rule prevents these scripts from launching apps, helping to prevent malicious use of the scripts to spread malware and infect machines. +This rule prevents scripts from launching apps, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. >[!IMPORTANT] >File and folder exclusions don't apply to this attack surface reduction rule. @@ -134,9 +142,9 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D ### Block execution of potentially obfuscated scripts -Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. +Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script. -This rule prevents potentially obfuscated scripts from running. +This rule prevents obfuscated scripts with suspicious behaviors from running. You can exclude scripts so they're allowed to run. Intune name: Obfuscated js/vbs/ps/macro code @@ -148,7 +156,7 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Malware can use macro code in Office files to import and load Win32 DLLs, which the malware then uses to make API calls to allow further infection throughout the system. -This rule attempts to block Office files that contain macro code that can import Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. +This rule blocks Office files containing macro code from importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. Intune name: Win32 imports from Office macro code @@ -156,7 +164,7 @@ SCCM name: Block Win32 API calls from Office macros GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -### Block executable files from running unless they meet a prevalence, age, or trusted list criteria +### Block executable files from running unless they meet a prevalence, age, or trusted list criterion This rule blocks the following file types from launching unless they either meet prevalence or age criteria set by admins, or they're in a trusted list or exclusion list: @@ -189,7 +197,7 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. >[!NOTE] - >The coding in some apps enumerate all running processes and attempt opening them with exhaustive permissions. This causes the app to access LSASS even when it's not necessary. This rule denies the app's process open action and logs the details to the security event log. By itself, this event log entry doesn't necessarily indicate a malicious threat. + >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. Intune name: Flag credential stealing from the Windows local security authority subsystem @@ -198,6 +206,8 @@ SCCM name: Block credential stealing from the Windows local security authority s GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 ### Block process creations originating from PSExec and WMI commands + +This rule blocks process creations that are invoked externally by PSExec or WMI. You can legitimately use PSExec or WMI for computer management. Because the invoking process is external to the system, this rule can't determine which application invoked the process creation. Exclusions don't apply to this rule, so don't enable this rule if you're using a PSExec-based program or a WMI-based program like SCCM. This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. @@ -230,10 +240,10 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 This rule prevents Outlook from creating child processes, including launching an app when a user double-clicks an attachment. -This is a typical malware behavior, especially for macro-based attacks that attempt to use Outlook to launch or download malicious executables. +This is a typical malware behavior, especially for macro-based attacks that attempt to use Outlook to launch or download malicious executables. There are legitimate uses of this behavior, such as emails that contain a hyperlink that starts a browser session. Some common usages, like starting a browser session within an email, already have global exclusions. >[!NOTE] ->This rule applies to Outlook only. +>This rule applies to Outlook and Outlook.com only. Intune name: Not applicable From f260c7a18f878c662b66b703c26e3bdd3ecf6d4f Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 6 Feb 2019 16:42:26 -0800 Subject: [PATCH 24/28] Incorp tech review. --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index dee97f80a8..227759bebc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -52,7 +52,7 @@ Block Office applications from injecting code into other processes | 75668C1F-73 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c From 6f9717c93b7f8004d14233e62a14d84c2e855909 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Fri, 8 Feb 2019 10:44:15 -0800 Subject: [PATCH 25/28] Incorp tech review. --- .../attack-surface-reduction-exploit-guard.md | 31 ++++++------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 227759bebc..5c257448b9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -19,9 +19,9 @@ ms.author: v-anbic - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Attack surface reduction rules help prevent malware from using actions and apps to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019. +Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you Windows 10 Enterprise E3 license or higher. An E5 license allows you to take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) and the real-time views and configuration of the M365 dashboard. These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to view attack surface reduction rule events in Event Viewer. +To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. An E5 license lets you take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) and the real-time views and configuration of the M365 dashboard. These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to view attack surface reduction rule events in Event Viewer. Attack surface reduction rules target specific behaviors that malware and malicious apps typically use to infect computers, including: @@ -73,11 +73,10 @@ Except where specified, attack surface reduction rules don't apply to any other ### Block executable content from email client and webmail -This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com: +This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers: - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -- Script archive files Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) @@ -113,9 +112,7 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899 ### Block Office applications from injecting code into other processes -A macro can allocate memory inside a suspended process and inject code into it, converting the benign process into a malicious one. Code injection doesn't have any known use for legitimate business purposes. This rule detects DLL and EXE injection, as well as process hollowing and thread hijacking. - -This rule helps prevent attacks where malware runs malicious code in an attempt to hide the activity from antivirus scanning engines. +Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection. This rule applies to Word, Excel, and PowerPoint. @@ -144,7 +141,7 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script. -This rule prevents obfuscated scripts with suspicious behaviors from running. You can exclude scripts so they're allowed to run. +This rule blocks scripts from running downloaded content, preventing malicious use of the scripts to spread malware and infect computers. You can exclude scripts so they're allowed to run. Intune name: Obfuscated js/vbs/ps/macro code @@ -152,11 +149,9 @@ SCCM name: Block execution of potentially obfuscated scripts. GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -### Block Win32 API calls from Office macro +### Block Win32 API calls from Office macros -Malware can use macro code in Office files to import and load Win32 DLLs, which the malware then uses to make API calls to allow further infection throughout the system. - -This rule blocks Office files containing macro code from importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. +Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface. Intune name: Win32 imports from Office macro code @@ -166,7 +161,7 @@ GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion -This rule blocks the following file types from launching unless they either meet prevalence or age criteria set by admins, or they're in a trusted list or exclusion list: +This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list: - Executable files (such as .exe, .dll, or .scr) @@ -207,8 +202,6 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 ### Block process creations originating from PSExec and WMI commands -This rule blocks process creations that are invoked externally by PSExec or WMI. You can legitimately use PSExec or WMI for computer management. Because the invoking process is external to the system, this rule can't determine which application invoked the process creation. Exclusions don't apply to this rule, so don't enable this rule if you're using a PSExec-based program or a WMI-based program like SCCM. - This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. >[!IMPORTANT] @@ -238,9 +231,7 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 ### Block Office communication application from creating child processes -This rule prevents Outlook from creating child processes, including launching an app when a user double-clicks an attachment. - -This is a typical malware behavior, especially for macro-based attacks that attempt to use Outlook to launch or download malicious executables. There are legitimate uses of this behavior, such as emails that contain a hyperlink that starts a browser session. Some common usages, like starting a browser session within an email, already have global exclusions. +This rule prevents Outlook from creating child processes. It prevents apps from launching when a user double-clicks an attachment or clicks a link embedded in an email. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. >[!NOTE] >This rule applies to Outlook and Outlook.com only. @@ -253,9 +244,7 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 ### Block Adobe Reader from creating child processes -This rule blocks Adobe Reader from creating child processes. - -This helps protect against heap-based buffer overflow vulnerabilities in PDF files, which attackers could use to launch malicious code. It also mitigates against potential JavaScript and Adobe Flash engine vulnerabilities that could allow attackers to insert and execute malicious code in PDF documents. +Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. Intune name: Not applicable From ceef8e78ba064bec29014f332665a090d2973e85 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Fri, 8 Feb 2019 12:37:17 -0800 Subject: [PATCH 26/28] Incorp tech review. --- .../attack-surface-reduction-exploit-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 5c257448b9..2b0b0fd861 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -21,7 +21,7 @@ ms.author: v-anbic Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. An E5 license lets you take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) and the real-time views and configuration of the M365 dashboard. These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to view attack surface reduction rule events in Event Viewer. +To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target specific behaviors that malware and malicious apps typically use to infect computers, including: @@ -33,7 +33,7 @@ Because legitimate, line-of-business applications might also use some of these b You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -Triggered rules display a notification on the device. The notification also displays in the Windows Defender ATP Security Center and on the M365 console. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. +Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender ATP Security Center and on the M365 console. You can set attack surface reduction rules in [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how they'd impact your organization once enabled. From fa4fe0ec7e757decd0f683f2f4e9e7ea0d6054b3 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 11 Feb 2019 12:46:37 -0800 Subject: [PATCH 27/28] Incorp tech review --- .../attack-surface-reduction-exploit-guard.md | 35 +++++-------------- 1 file changed, 9 insertions(+), 26 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 2b0b0fd861..194b5143e5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -23,20 +23,16 @@ Attack surface reduction rules help prevent behaviors malware often uses to infe To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. -Attack surface reduction rules target specific behaviors that malware and malicious apps typically use to infect computers, including: +Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: - Executable files and scripts used in Office apps or web mail that attempt to download or run files - Obfuscated or otherwise suspicious scripts - Behaviors that apps don't usually initiate during normal day-to-day work -Because legitimate, line-of-business applications might also use some of these behaviors and apps, you can [exclude them from attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules). - -You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender ATP Security Center and on the M365 console. -You can set attack surface reduction rules in [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how they'd impact your organization once enabled. - For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). ## Attack surface reduction rules @@ -60,16 +56,7 @@ Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9 Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. They don't apply to any other Office apps like Flow or Teams. - -In general, attack surface reduction rules apply to the following Office apps: - -- Microsoft Word -- Microsoft Excel -- Microsoft PowerPoint -- Microsoft OneNote - -Except where specified, attack surface reduction rules don't apply to any other Office apps. +Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps. ### Block executable content from email client and webmail @@ -88,7 +75,7 @@ GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. -This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings. +This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings. Intune name: Office apps launching child processes @@ -100,9 +87,7 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. -This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique, which often embeds an encoded binary file within the script that is then dropped and executed. - -Office apps won't be able to use extensions. Typically, these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. +This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk. Intune name: Office apps/macros creating executable content @@ -126,7 +111,7 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Malware often uses JavaScript and VBScript scripts to launch other malicious apps. -This rule prevents scripts from launching apps, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. +Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run. >[!IMPORTANT] >File and folder exclusions don't apply to this attack surface reduction rule. @@ -141,8 +126,6 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script. -This rule blocks scripts from running downloaded content, preventing malicious use of the scripts to spread malware and infect computers. You can exclude scripts so they're allowed to run. - Intune name: Obfuscated js/vbs/ps/macro code SCCM name: Block execution of potentially obfuscated scripts. @@ -231,14 +214,14 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 ### Block Office communication application from creating child processes -This rule prevents Outlook from creating child processes. It prevents apps from launching when a user double-clicks an attachment or clicks a link embedded in an email. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. +This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. >[!NOTE] >This rule applies to Outlook and Outlook.com only. -Intune name: Not applicable +Intune name: Not yet available -SCCM name: Not applicable +SCCM name: Not yet available GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 From f1304b514e077da2803cdef17a6a676eb964c62f Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Thu, 14 Feb 2019 09:26:46 -0800 Subject: [PATCH 28/28] Incorp tech review --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 194b5143e5..f010ab338b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -238,4 +238,4 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c ## Related topics - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) -- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) \ No newline at end of file +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) \ No newline at end of file