Merge pull request #678 from MicrosoftDocs/public

Public to master 7/12
2025-06-25 15:23:40 +00:00 · 2019-07-12 12:25:26 -07:00
parent 09ef31daff b821cf337e
commit a8ad6384e4
22 changed files with 130 additions and 39 deletions
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@ -1,8 +1,8 @@
 ---
 title: Fileless threats
 ms.reviewer: 
-description: Learn about fileless threats, its categories, and how it runs
-keywords: fileless, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP
+description: Learn about the categories of fileless threats and malware that "live off the land"
+keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next generation protection
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
@ -18,9 +18,9 @@ search.appverid: met150

 # Fileless threats

-What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The term is used broadly; it's also used to describe malware families that do rely on files to operate.
+What exactly are fileless threats? The term "fileless" suggests that a threat does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition for fileless malware. The term is used broadly; it's also used to describe malware families that do rely on files to operate.

-Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft, some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.
+Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft, some parts of the attack chain may be fileless, while others may involve the filesystem in some form.

 For clarity, fileless threats are grouped into different categories.

--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@ -57,7 +57,7 @@ The following steps are required to enable this integration:

 ### Before you begin
 Review the following details to verify minimum system requirements:
- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+- Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
  
  >[!NOTE]
  >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. 
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@ -305,7 +305,7 @@ At the level of each organizational unit in the Active Directory hierarchy, one,

 This order means that the local Group Policy Object is processed first, and Group Policy Objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy Objects.

-This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked.
+This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked. For more information see [Group Policy Basics – Part 2: Understanding Which GPOs to Apply](https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/).

 ### <a href="" id="bkmk-secpolprocessing"></a>Security settings policy processing

--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
@ -48,7 +48,7 @@ Download the installation and onboarding packages from Windows Defender Security
    Extract the contents of the .zip files:
  
    ```bash
-   mavel-macmini:Downloads test$ ls -l
+    ls -l
    total 721152
    -rw-r--r--  1 test  staff       6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
@ -92,7 +92,7 @@ If you did not enable Microsoft's driver during installation, then the applicati
 You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available:

 ```bash
-mavel-mojave:~ testuser$ mdatp --health
+mdatp --health
 ...
 realTimeProtectionAvailable             : false
 realTimeProtectionEnabled               : true
@ -112,7 +112,7 @@ In this case, you need to perform the following steps to enable Real-Time Protec

 1. In Terminal, attempt to install the driver. (The operation will fail)
    ```bash
-    mavel-mojave:~ testuser$ sudo kextutil /Library/Extensions/wdavkext.kext
+    sudo kextutil /Library/Extensions/wdavkext.kext
    Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
    Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
    Diagnostics for /Library/Extensions/wdavkext.kext:
@ -125,13 +125,13 @@ In this case, you need to perform the following steps to enable Real-Time Protec
 4. In Terminal, install the driver again. This time the operation will succeed:

 ```bash
-mavel-mojave:~ testuser$ sudo kextutil /Library/Extensions/wdavkext.kext
+sudo kextutil /Library/Extensions/wdavkext.kext
 ```

 The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available:

 ```bash
-mavel-mojave:~ testuser$ mdatp --health
+mdatp --health
 ...
 realTimeProtectionAvailable             : true
 realTimeProtectionEnabled               : true
@ -145,20 +145,20 @@ realTimeProtectionEnabled               : true
    The client machine is not associated with orgId. Note that the *orgId* attribute is blank.

    ```bash
-    mavel-mojave:wdavconfig testuser$ mdatp --health orgId
+    mdatp --health orgId
    ```

 2. Install the configuration file on a client machine:

    ```bash
-    mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py
+    python WindowsDefenderATPOnboarding.py
    Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
    ```

 3. Verify that the machine is now associated with your organization and reports a valid *orgId*:

    ```bash
-    mavel-mojave:wdavconfig testuser$ mdatp --health orgId
+    mdatp --health orgId
    E6875323-A6C0-4C60-87AD-114BBE7439B8
    ```

--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
@ -31,7 +31,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
 1. Increase logging level:

   ```bash
-   mavel-mojave:~ testuser$ mdatp --log-level verbose
+   mdatp --log-level verbose
   Creating connection to daemon
   Connection established
   Operation succeeded
@ -39,19 +39,18 @@ If you can reproduce a problem, please increase the logging level, run the syste

 2. Reproduce the problem

-3. Run `mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The command will print out location with generated zip file.
+3. Run `mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.

   ```bash
-   mavel-mojave:~ testuser$ mdatp --diagnostic --create
+   mdatp --diagnostic --create
   Creating connection to daemon
   Connection established
-   "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip"
   ```

 4. Restore logging level:

   ```bash
-   mavel-mojave:~ testuser$ mdatp --log-level info
+   mdatp --log-level info
   Creating connection to daemon
   Connection established
   Operation succeeded
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@ -64,7 +64,7 @@ Microsoft Defender ATP can discover a proxy server by using the following discov

 If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.

-To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping]([https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
+To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.

 If you prefer the command line, you can also check the connection by running the following command in Terminal:

--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@ -14,6 +14,9 @@ author: dansimp
 ms.date: 05/17/2018
 ---

+> [!NOTE]
+> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/). 
+
 # Deploy Windows Defender Application Control policies by using Microsoft Intune

 **Applies to:**
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@ -45,6 +45,19 @@ Triggered rules display a notification on the device. You can [customize the not

 For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).

+## Review attack surface reduction events in the Microsoft Security Center
+
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
+
+Here is an example query: 
+
+```
+MiscEvents
+| where ActionType startswith 'Asr'
+```
+
 ## Review attack surface reduction events in Windows Event Viewer

 You can review the Windows event log to view events that are created when attack surface reduction rules fire:
@ -147,7 +160,7 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

 Malware often uses JavaScript and VBScript scripts to launch other malicious apps. 

-Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run.
+Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. 

 >[!IMPORTANT]
 >File and folder exclusions don't apply to this attack surface reduction rule.
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@ -227,7 +227,7 @@ Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThun
 Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocateImages  | Audit not available
 Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
 Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
-Validate heap integrity | System and app-level |   TerminateOnHeapError  | Audit not available
+Validate heap integrity | System and app-level |   TerminateOnError  | Audit not available
 Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode 
 Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad 
 Block remote images | App-level only |   BlockRemoteImages  | Audit not available 
--- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@ -45,6 +45,19 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http
 >[!WARNING]
 >Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.

+## Review exploit protection events in the Microsoft Security Center
+
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
+
+Here is an example query:
+
+```
+MiscEvents
+| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
+```
+
 ## Review exploit protection events in Windows Event Viewer

 You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@ -51,6 +51,13 @@ Microsoft Defender ATP provides detailed reporting into events and blocks as par

 You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.

+Here is an example query 
+
+```
+MiscEvents
+| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
+```
+
 ## Review network protection events in Windows Event Viewer

 You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain: