mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 10:23:37 +00:00
Update attack-surface-reduction.md
This commit is contained in:
Denise Vangel-MSFT
@ -48,7 +48,7 @@ You can set attack surface reduction rules for computers running the following v
|
||||
- Windows 10 version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
|
||||
- Windows 10, version [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) or later
|
||||
- Windows Server version [1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- [[Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
|
||||
To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
|
||||
|
||||
@ -95,21 +95,21 @@ The following sections describe each of the 15 attack surface reduction rules. T
|
||||
|
||||
| Rule name | GUID | File & folder exclusions | Minimum OS supported |
|
||||
|-----|----|---|---|
|
||||
|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported | Windows 10 [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
|
||||
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported | Windows 10 [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported | Windows 10 [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
|
||||
|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported | Windows 10, version [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
|
||||
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported | Windows 10, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|
||||
|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported | Windows 10, version [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
|
||||
|
||||
### Block executable content from email client and webmail
|
||||
|
||||
@ -119,9 +119,9 @@ This rule blocks the following file types from launching from email opened withi
|
||||
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
||||
|
||||
This rule was introduced in:
|
||||
- Windows 10, version 1709
|
||||
- Windows Server, version 1809
|
||||
- Windows Server 2019
|
||||
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- Microsoft Endpoint Configuration Manager CB 1710
|
||||
|
||||
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
|
||||
@ -137,9 +137,9 @@ This rule blocks Office apps from creating child processes. This includes Word,
|
||||
Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
|
||||
|
||||
This rule was introduced in:
|
||||
- Windows 10, version 1709
|
||||
- Windows Server, version 1809
|
||||
- Windows Server 2019
|
||||
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- Configuration Manager CB 1710
|
||||
|
||||
Intune name: Office apps launching child processes
|
||||
@ -155,9 +155,9 @@ This rule prevents Office apps, including Word, Excel, and PowerPoint, from crea
|
||||
Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
|
||||
|
||||
This rule was introduced in:
|
||||
- Windows 10, version 1709
|
||||
- Windows Server, version 1809
|
||||
- Windows Server 2019
|
||||
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- System Center Configuration Manager (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
|
||||
|
||||
Intune name: Office apps/macros creating executable content
|
||||
@ -176,7 +176,11 @@ There are no known legitimate business purposes for using code injection.
|
||||
|
||||
This rule applies to Word, Excel, and PowerPoint.
|
||||
|
||||
This rule was introduced in: Windows 10, version 1709, Windows Server, version 1809, Windows Server 2019, Configuration Manager CB 1710
|
||||
This rule was introduced in:
|
||||
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- Configuration Manager CB 1710
|
||||
|
||||
Intune name: Office apps injecting code into other processes (no exceptions)
|
||||
|
||||
@ -193,7 +197,11 @@ Although not common, line-of-business applications sometimes use scripts to down
|
||||
> [!IMPORTANT]
|
||||
> File and folder exclusions don't apply to this attack surface reduction rule.
|
||||
|
||||
This rule was introduced in: Windows 10, version 1709, Windows Server, version 1809, Windows Server 2019, Configuration Manager CB 1710
|
||||
This rule was introduced in:
|
||||
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- Configuration Manager CB 1710
|
||||
|
||||
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
|
||||
|
||||
@ -207,7 +215,11 @@ This rule detects suspicious properties within an obfuscated script.
|
||||
|
||||
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
|
||||
|
||||
This rule was introduced in: Windows 10, version 1709, Windows Server, version 1809, Windows Server 2019, Configuration Manager CB 1710
|
||||
This rule was introduced in:
|
||||
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- Configuration Manager CB 1710
|
||||
|
||||
Intune name: Obfuscated js/vbs/ps/macro code
|
||||
|
||||
@ -221,7 +233,11 @@ This rule prevents VBA macros from calling Win32 APIs.
|
||||
|
||||
Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
|
||||
|
||||
This rule was introduced in: Windows 10, version 1709, Windows Server, version 1809, Windows Server 2019, Configuration Manager CB 1710
|
||||
This rule was introduced in:
|
||||
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- Configuration Manager CB 1710
|
||||
|
||||
Intune name: Win32 imports from Office macro code
|
||||
|
||||
@ -245,7 +261,11 @@ Launching untrusted or unknown executable files can be risky, as it may not not
|
||||
>
|
||||
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
|
||||
|
||||
This rule was introduced in: Windows 10 1803, Windows Server, version 1809, Windows Server 2019, Configuration Manager CB 1802
|
||||
This rule was introduced in:
|
||||
- Windows 10 1803
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- Configuration Manager CB 1802
|
||||
|
||||
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
|
||||
|
||||
@ -260,7 +280,11 @@ This rule provides an extra layer of protection against ransomware. It scans exe
|
||||
> [!NOTE]
|
||||
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
|
||||
|
||||
This rule was introduced in: Windows 10 1803, Windows Server, version 1809, Windows Server 2019, Configuration Manager CB 1802
|
||||
This rule was introduced in:
|
||||
- Windows 10 1803
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- Configuration Manager CB 1802
|
||||
|
||||
Intune name: Advanced ransomware protection
|
||||
|
||||
@ -277,7 +301,11 @@ LSASS authenticates users who log in to a Windows computer. Microsoft Defender C
|
||||
> [!NOTE]
|
||||
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
|
||||
|
||||
This rule was introduced in: Windows 10 1803, Windows Server, version 1809, Windows Server 2019, Configuration Manager CB 1802
|
||||
This rule was introduced in:
|
||||
- Windows 10 1803
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- Configuration Manager CB 1802
|
||||
|
||||
Intune name: Flag credential stealing from the Windows local security authority subsystem
|
||||
|
||||
@ -292,7 +320,10 @@ This rule blocks processes created through [PsExec](https://docs.microsoft.com/s
|
||||
> [!WARNING]
|
||||
> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
|
||||
|
||||
This rule was introduced in: Windows 10 1803, Windows Server, version 1809, Windows Server 2019
|
||||
This rule was introduced in:
|
||||
- Windows 10 1803
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
|
||||
Intune name: Process creation from PSExec and WMI commands
|
||||
|
||||
@ -307,7 +338,11 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
|
||||
* Executable files (such as .exe, .dll, or .scr)
|
||||
* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
||||
|
||||
This rule was introduced in: Windows 10 1803, Windows Server, version 1809, Windows Server 2019, Configuration Manager CB 1802
|
||||
This rule was introduced in:
|
||||
- Windows 10 1803
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
- Configuration Manager CB 1802
|
||||
|
||||
Intune name: Untrusted and unsigned processes that run from USB
|
||||
|
||||
@ -324,7 +359,10 @@ This protects against social engineering attacks and prevents exploit code from
|
||||
> [!NOTE]
|
||||
> This rule applies to Outlook and Outlook.com only.
|
||||
|
||||
This rule was introduced in: Windows 10 1809, Windows Server, version 1809, Windows Server 2019
|
||||
This rule was introduced in:
|
||||
- Windows 10 1809
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
|
||||
Intune name: Process creation from Office communication products (beta)
|
||||
|
||||
@ -338,7 +376,10 @@ This rule prevents attacks by blocking Adobe Reader from creating additional pro
|
||||
|
||||
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
|
||||
|
||||
This rule was introduced in: Windows 10 1809, Windows Server, version 1809, Windows Server 2019
|
||||
This rule was introduced in:
|
||||
- Windows 10 1809
|
||||
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
|
||||
Intune name: Process creation from Adobe Reader (beta)
|
||||
|
||||
@ -352,7 +393,9 @@ This rule prevents malware from abusing WMI to attain persistence on a device.
|
||||
|
||||
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
|
||||
|
||||
This rule was introduced in: Windows 10 1903, Windows Server 1903
|
||||
This rule was introduced in:
|
||||
- Windows 10 1903
|
||||
- Windows Server 1903
|
||||
|
||||
Intune name: Block persistence through WMI event subscription
|
||||
|
||||
|
||||
Reference in New Issue
Block a user