From 4e0090298b022cf2d17edecd36dc21b98c71eed7 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Fri, 5 Oct 2018 10:04:07 -0700 Subject: [PATCH 1/7] Added notes on ASR rules available in E3. --- .../attack-surface-reduction-exploit-guard.md | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 18134f19d0..650bcc60ba 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 10/05/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -36,11 +36,19 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua ## Requirements -Attack surface reduction rules require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). +Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). + +This feature includes: + +* Rules for enabling or disabling select behaviors that apps and scripts can use +* Centralized monitoring and reporting +* Analytics to enable ease of deployment + +A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. ## Attack surface reduction rules -The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: +The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table. Rules that are only supported on Windows 10 Enterprise E5 are marked with an asterisk (\*). Rule name | GUID -|- @@ -51,13 +59,13 @@ Block Office applications from injecting code into other processes | 75668C1F-73 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +\* Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 -Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +\* Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +\* Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c The rules apply to the following Office apps: From e8ed8baa432ba7c5815d6b24ff786ba18fe29d9f Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 15 Oct 2018 09:45:34 -0700 Subject: [PATCH 2/7] Separated E3 and E5 --- .../attack-surface-reduction-exploit-guard.md | 14 +- ...ction-rules-in-windows-10-enterprise-e3.md | 199 ++++++++++++++++++ 2 files changed, 207 insertions(+), 6 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 650bcc60ba..67c8095b0a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -20,15 +20,17 @@ ms.date: 10/05/2018 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides: + +- Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as: + - Executable files and scripts used in Office apps or web mail that attempt to download or run files + - Scripts that are obfuscated or otherwise suspicious + - Behaviors that apps undertake that are not usually initiated during normal day-to-day work +- Centralized monitoring and reporting +- Analytics to enable ease of deployment -Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. -Attack surface reduction rules each target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: -- Executable files and scripts used in Office apps or web mail that attempt to download or run files -- Scripts that are obfuscated or otherwise suspicious -- Behaviors that apps undertake that are not usually initiated during normal day-to-day work When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md new file mode 100644 index 0000000000..ea55082c13 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -0,0 +1,199 @@ +--- +title: Use attack surface reduction rules in Windows 10 Enterprise E3 +description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware +keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 10/11/2018 +--- + +# Use attack surface reduction rules in Windows 10 Enterprise E3 + +**Applies to:** + +- Windows 10 Enterprise E3 + +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. + +Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which requires a Windows 10 Enterprise E5 license. Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). However, you can use a limited subset of attack surface reduction rules in Windows 10 Enterprise E3 if you are able to either develop your own reporting, monitoring, and analytics or hook into an existing solution in your environment. + +Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. + +## Attack surface reduction rules + +The following attack surface reduction rules are available with a Windows 10 Enterprise E3 license. Each rule is identified by a rule GUID, as in the following table. + +Rule name | GUID +-|- +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 + +The rules apply to the following Office apps: + +- Microsoft Word +- Microsoft Excel +- Microsoft PowerPoint +- Microsoft OneNote + +The rules do not apply to any other Office apps. + +### Rule: Block executable content from email client and webmail + +This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): + +- Executable files (such as .exe, .dll, or .scr) +- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +- Script archive files + +>[!IMPORTANT] +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). + +### Rule: Block all Office applications from creating child processes + +Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. + +This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. + +### Rule: Block Office applications from creating executable content + +This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. + +Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. + +### Rule: Block Office applications from injecting code into other processes + +Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. + +This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. + + +>[!IMPORTANT] +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). + +### Rule: Block JavaScript or VBScript From launching downloaded executable content + +JavaScript and VBScript scripts can be used by malware to launch other malicious apps. + +This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. + +>[!IMPORTANT] +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). + +### Rule: Block execution of potentially obfuscated scripts + +Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. + +This rule prevents scripts that appear to be obfuscated from running. + +It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them. + +### Rule: Block Win32 API calls from Office macro + +Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. + +This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. + +### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria + +This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: + +- Executable files (such as .exe, .dll, or .scr) + +>[!NOTE] +>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. + +### Rule: Use advanced protection against ransomware + +This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. + +>[!NOTE] +>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. + +### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) + +Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. + +>[!IMPORTANT] +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). + + >[!NOTE] + >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. + +### Rule: Block process creations originating from PSExec and WMI commands + +This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. + +>[!WARNING] +>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] + +### Rule: Block untrusted and unsigned processes that run from USB + +With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: + +- Executable files (such as .exe, .dll, or .scr) +- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) + +### Rule: Block only Office communication applications from creating child processes + +Office communication apps will not be allowed to create child processes. This includes Outlook. + +This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. + +### Rule: Block Adobe Reader from creating child processes + +This rule blocks Adobe Reader from creating child processes. + +## Review attack surface reduction rule events in Windows Event Viewer + +You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited): + +1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. + +2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +3. On the left panel, under **Actions**, click **Import custom view...** + + ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) + +4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). + +5. Click **OK**. + +6. This will create a custom view that filters to only show the following events related to attack surface reduction rules: + + Event ID | Description +-|- +5007 | Event when settings are changed +1122 | Event when rule fires in Audit-mode +1121 | Event when rule fires in Block-mode + +### Event fields + +- **ID**: matches with the Rule-ID that triggered the block/audit. +- **Detection time**: Time of detection +- **Process Name**: The process that performed the "operation" that was blocked/audited +- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus + + ## In this section + +Topic | Description +---|--- +[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. +[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. +[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. \ No newline at end of file From 83d06de81c0b8eb49d36cb76f34e7b42da15fee1 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 15 Oct 2018 11:29:36 -0700 Subject: [PATCH 3/7] Changed toc, added more ASR details --- windows/security/threat-protection/TOC.md | 2 + .../attack-surface-reduction-exploit-guard.md | 50 +++++++------------ ...ction-rules-in-windows-10-enterprise-e3.md | 11 ---- 3 files changed, 21 insertions(+), 42 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 5e910c8c03..48576cb65a 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -422,6 +422,8 @@ ### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +### [Use attack surface reduction rules in Windows 10 Enterprise E3](windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) + ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 67c8095b0a..7e20a73fec 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -26,31 +26,20 @@ Attack surface reduction rules help prevent actions and apps that are typically - Executable files and scripts used in Office apps or web mail that attempt to download or run files - Scripts that are obfuscated or otherwise suspicious - Behaviors that apps undertake that are not usually initiated during normal day-to-day work -- Centralized monitoring and reporting -- Analytics to enable ease of deployment +- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks +- Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled - - - -When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. - -You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. +When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. ## Requirements Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). -This feature includes: - -* Rules for enabling or disabling select behaviors that apps and scripts can use -* Centralized monitoring and reporting -* Analytics to enable ease of deployment - -A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. +A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3). ## Attack surface reduction rules -The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table. Rules that are only supported on Windows 10 Enterprise E5 are marked with an asterisk (\*). +The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table. Rule name | GUID -|- @@ -61,13 +50,13 @@ Block Office applications from injecting code into other processes | 75668C1F-73 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -\* Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -\* Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 -\* Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c The rules apply to the following Office apps: @@ -80,7 +69,6 @@ The rules do not apply to any other Office apps. ### Rule: Block executable content from email client and webmail - This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): - Executable files (such as .exe, .dll, or .scr) @@ -102,15 +90,12 @@ This rule targets typical behaviors used by suspicious and malicious add-ons and Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. - ### Rule: Block Office applications from injecting code into other processes - Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - >[!IMPORTANT] >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). @@ -120,7 +105,6 @@ JavaScript and VBScript scripts can be used by malware to launch other malicious This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. - >[!IMPORTANT] >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). @@ -188,23 +172,29 @@ This is a typical malware behavior, especially for macro-based attacks that atte This rule blocks Adobe Reader from creating child processes. +## Review attack surface reduction rule events in the Windows Defender ATP Security Center + +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled. + ## Review attack surface reduction rule events in Windows Event Viewer You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited): 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. +2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. -2. On the left panel, under **Actions**, click **Import custom view...** +3. On the left panel, under **Actions**, click **Import custom view...** ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) -3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). +4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). -4. Click **OK**. +5. Click **OK**. -5. This will create a custom view that filters to only show the following events related to attack surface reduction rules: +6. This will create a custom view that filters to only show the following events related to attack surface reduction rules: Event ID | Description -|- @@ -212,8 +202,6 @@ You can review the Windows event log to see events that are created when an atta 1122 | Event when rule fires in Audit-mode 1121 | Event when rule fires in Block-mode - - ### Event fields - **ID**: matches with the Rule-ID that triggered the block/audit. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index ea55082c13..d1984f870d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -82,7 +82,6 @@ Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - >[!IMPORTANT] >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). @@ -149,16 +148,6 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block only Office communication applications from creating child processes - -Office communication apps will not be allowed to create child processes. This includes Outlook. - -This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. - -### Rule: Block Adobe Reader from creating child processes - -This rule blocks Adobe Reader from creating child processes. - ## Review attack surface reduction rule events in Windows Event Viewer You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited): From 6bcbff0e4e6b227ff2cb1d3015588a77f092eae8 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 15 Oct 2018 12:14:29 -0700 Subject: [PATCH 4/7] Corrected E3 rules list --- ...urface-reduction-rules-in-windows-10-enterprise-e3.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index d1984f870d..656a55447f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -108,15 +108,6 @@ Malware can use macro code in Office files to import and load Win32 DLLs, which This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. -### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria - -This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: - -- Executable files (such as .exe, .dll, or .scr) - ->[!NOTE] ->You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. - ### Rule: Use advanced protection against ransomware This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. From b11f36c5c01eebf8620db8398e6ba13c03748f21 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 15 Oct 2018 12:16:50 -0700 Subject: [PATCH 5/7] Fixed spacing --- ...ack-surface-reduction-rules-in-windows-10-enterprise-e3.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index 656a55447f..9f5770799b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -22,7 +22,9 @@ ms.date: 10/11/2018 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. -Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which requires a Windows 10 Enterprise E5 license. Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). However, you can use a limited subset of attack surface reduction rules in Windows 10 Enterprise E3 if you are able to either develop your own reporting, monitoring, and analytics or hook into an existing solution in your environment. +Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which requires a Windows 10 Enterprise E5 license. Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +However, you can use a limited subset of attack surface reduction rules in Windows 10 Enterprise E3 if you are able to either develop your own reporting, monitoring, and analytics or hook into an existing solution in your environment. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. From b8d7f63d46e55a2cd690c761057b17b82bc5cb87 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 15 Oct 2018 14:36:59 -0700 Subject: [PATCH 6/7] Incorporated tech review --- .../attack-surface-reduction-exploit-guard.md | 7 +- ...ction-rules-in-windows-10-enterprise-e3.md | 156 ++---------------- 2 files changed, 19 insertions(+), 144 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 7e20a73fec..b3f2bb7cac 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/05/2018 +ms.date: 10/15/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -35,8 +35,6 @@ When an attack surface reduction rule is triggered, a notification displays from Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). -A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3). - ## Attack surface reduction rules The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table. @@ -209,6 +207,9 @@ You can review the Windows event log to see events that are created when an atta - **Process Name**: The process that performed the "operation" that was blocked/audited - **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus +## Attack surface reduction rules in Windows 10 Enterprise E3 + +A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3). ## In this section diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index 9f5770799b..fa933afc36 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/11/2018 +ms.date: 10/15/2018 --- # Use attack surface reduction rules in Windows 10 Enterprise E3 @@ -30,149 +30,23 @@ Attack surface reduction rules are supported on Windows Server 2019 as well as W ## Attack surface reduction rules -The following attack surface reduction rules are available with a Windows 10 Enterprise E3 license. Each rule is identified by a rule GUID, as in the following table. +The following attack surface reduction rules are available with a Windows 10 Enterprise E3 license: -Rule name | GUID --|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c -Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +- Block executable content from email client and webmail +- Block all Office applications from creating child processes +- Block Office applications from creating executable content +- Block Office applications from injecting code into other processes +- Block JavaScript or VBScript from launching downloaded executable content +- Block execution of potentially obfuscated scripts +- Block Win32 API calls from Office macro +- Use advanced protection against ransomware +- Block credential stealing from the Windows local security authority subsystem (lsass.exe) +- Block process creations originating from PSExec and WMI commands +- Block untrusted and unsigned processes that run from USB -The rules apply to the following Office apps: +For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard). -- Microsoft Word -- Microsoft Excel -- Microsoft PowerPoint -- Microsoft OneNote - -The rules do not apply to any other Office apps. - -### Rule: Block executable content from email client and webmail - -This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): - -- Executable files (such as .exe, .dll, or .scr) -- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -- Script archive files - ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - -### Rule: Block all Office applications from creating child processes - -Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. - -This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. - -### Rule: Block Office applications from creating executable content - -This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. - -Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. - -### Rule: Block Office applications from injecting code into other processes - -Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. - -This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - -### Rule: Block JavaScript or VBScript From launching downloaded executable content - -JavaScript and VBScript scripts can be used by malware to launch other malicious apps. - -This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. - ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - -### Rule: Block execution of potentially obfuscated scripts - -Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. - -This rule prevents scripts that appear to be obfuscated from running. - -It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them. - -### Rule: Block Win32 API calls from Office macro - -Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. - -This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. - -### Rule: Use advanced protection against ransomware - -This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. - ->[!NOTE] ->You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. - -### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) - -Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. - ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - - >[!NOTE] - >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. - -### Rule: Block process creations originating from PSExec and WMI commands - -This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. - ->[!WARNING] ->[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] - -### Rule: Block untrusted and unsigned processes that run from USB - -With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: - -- Executable files (such as .exe, .dll, or .scr) -- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - -## Review attack surface reduction rule events in Windows Event Viewer - -You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited): - -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. - -2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -3. On the left panel, under **Actions**, click **Import custom view...** - - ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) - -4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -5. Click **OK**. - -6. This will create a custom view that filters to only show the following events related to attack surface reduction rules: - - Event ID | Description --|- -5007 | Event when settings are changed -1122 | Event when rule fires in Audit-mode -1121 | Event when rule fires in Block-mode - -### Event fields - -- **ID**: matches with the Rule-ID that triggered the block/audit. -- **Detection time**: Time of detection -- **Process Name**: The process that performed the "operation" that was blocked/audited -- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus - - ## In this section + ## Related topics Topic | Description ---|--- From 4e1e3b3e89f1f49b52b676b8527006f09dac0616 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 15 Oct 2018 14:56:06 -0700 Subject: [PATCH 7/7] Incorp tech review --- ...face-reduction-rules-in-windows-10-enterprise-e3.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index fa933afc36..4cc8fbd9f5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -20,17 +20,13 @@ ms.date: 10/15/2018 - Windows 10 Enterprise E3 -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. -Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which requires a Windows 10 Enterprise E5 license. Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). - -However, you can use a limited subset of attack surface reduction rules in Windows 10 Enterprise E3 if you are able to either develop your own reporting, monitoring, and analytics or hook into an existing solution in your environment. +A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. -## Attack surface reduction rules - -The following attack surface reduction rules are available with a Windows 10 Enterprise E3 license: +The limited subset of rules that can be used in Windows 10 Enterprise E3 include: - Block executable content from email client and webmail - Block all Office applications from creating child processes