From 2d26392f0ac86aec91def4ccf5d274972721b5fc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 14:24:06 -0800 Subject: [PATCH 01/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index f5e542e2f6..ecaa7bcca5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -14,7 +14,7 @@ ms.author: deniseb ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr -ms.date: 11/30/2020 +ms.date: 12/08/2020 --- # Reduce attack surfaces with attack surface reduction rules @@ -26,17 +26,17 @@ ms.date: 11/30/2020 * [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -## Overview +## Why attack surface reduction is important -Your attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. +Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help! -Attack surface reduction rules target certain software behaviors that are often abused by attackers. Such behaviors include: +Attack surface reduction rules target certain software behaviors, such as: - Launching executable files and scripts that attempt to download or run files; - Running obfuscated or otherwise suspicious scripts; and - Performing behaviors that apps don't usually initiate during normal day-to-day work. -Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe. +Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe. For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). From d3ae0137c435263d5e85e9d4a028c7acfd085748 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 14:33:41 -0800 Subject: [PATCH 02/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index ecaa7bcca5..46951dd11c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -109,14 +109,14 @@ The following sections describe each of the 15 attack surface reduction rules. T | Rule name | GUID | File & folder exclusions | Minimum OS supported | |-----|----|---|---| -|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | From bf1dd1f078d9209b452fc11ae5b7f13b851e2d8c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 14:35:43 -0800 Subject: [PATCH 03/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 46951dd11c..e0b1a68177 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -105,11 +105,12 @@ The "engine version" listed for attack surface reduction events in the event log ## Attack surface reduction rules -The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: +The following sections describe each of the 15 attack surface reduction rules (in alphabetical order of rule name). This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: | Rule name | GUID | File & folder exclusions | Minimum OS supported | |-----|----|---|---| |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | @@ -118,7 +119,6 @@ The following sections describe each of the 15 attack surface reduction rules. T |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | From e66d6381b38f28f20b88652ffe5d178230ca6520 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 14:37:02 -0800 Subject: [PATCH 04/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index e0b1a68177..8acd90b68f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -117,13 +117,14 @@ The following sections describe each of the 15 attack surface reduction rules (i |[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | + ### Block executable content from email client and webmail From 03600bc363aa8c36917be87c4dd185eb3af0a20f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 14:38:05 -0800 Subject: [PATCH 05/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 8acd90b68f..0a1b17df14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -117,12 +117,13 @@ The following sections describe each of the 15 attack surface reduction rules (i |[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | + |[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | From 146f9a79bf75a88dad2af071012c3112c0b7d370 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 14:39:16 -0800 Subject: [PATCH 06/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 0a1b17df14..946f52908f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -108,7 +108,8 @@ The "engine version" listed for attack surface reduction events in the event log The following sections describe each of the 15 attack surface reduction rules (in alphabetical order of rule name). This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: | Rule name | GUID | File & folder exclusions | Minimum OS supported | -|-----|----|---|---| +|-----|-----|-----|-----| +|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | @@ -117,14 +118,12 @@ The following sections describe each of the 15 attack surface reduction rules (i |[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | - |[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | + ### Block executable content from email client and webmail From c1cdaa7c498d5384b3ff48e91c77b68467549992 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 14:40:26 -0800 Subject: [PATCH 07/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 946f52908f..eb9e2bead0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -119,9 +119,9 @@ The following sections describe each of the 15 attack surface reduction rules (i |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | +|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | From fa2360cd600701b4866e3f6e7aa39e507118d779 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 14:40:59 -0800 Subject: [PATCH 08/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index eb9e2bead0..a50eca6244 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -120,9 +120,10 @@ The following sections describe each of the 15 attack surface reduction rules (i |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | + From b7061104398b40c1c4c0601fb67cdf568ea87e0e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 14:48:28 -0800 Subject: [PATCH 09/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index a50eca6244..ae43672ba2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -105,11 +105,12 @@ The "engine version" listed for attack surface reduction events in the event log ## Attack surface reduction rules -The following sections describe each of the 15 attack surface reduction rules (in alphabetical order of rule name). This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: +The following sections describe each of the 16 attack surface reduction rules (in alphabetical order of rule name). This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: | Rule name | GUID | File & folder exclusions | Minimum OS supported | |-----|-----|-----|-----| |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|Block abuse of in-the-wild exploited vulnerable signed drivers (NEW!) | | | | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | @@ -118,6 +119,7 @@ The following sections describe each of the 15 attack surface reduction rules (i |[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |`26190899-1602-49e8-8b27-eb1d0a1ce869` |Supported |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | @@ -125,8 +127,6 @@ The following sections describe each of the 15 attack surface reduction rules (i |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | - - ### Block executable content from email client and webmail This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers: From d73ceb1d037b841ac58a4c029e427d6ae07c40d9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 14:59:41 -0800 Subject: [PATCH 10/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index ae43672ba2..79f641e58b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -110,7 +110,7 @@ The following sections describe each of the 16 attack surface reduction rules (i | Rule name | GUID | File & folder exclusions | Minimum OS supported | |-----|-----|-----|-----| |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|Block abuse of in-the-wild exploited vulnerable signed drivers (NEW!) | | | | +|Block abuse of in-the-wild exploited vulnerable signed drivers (NEW!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | | | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | @@ -126,6 +126,10 @@ The following sections describe each of the 16 attack surface reduction rules (i |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +### Block abuse of in-the-wild exploited vulnerable signed drivers + +This rule prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local applications with sufficient privileges, to gain access to the kernel. It allows attackers to disable or circumvent security solutions, eventually leading to system compromise. + ### Block executable content from email client and webmail From bdd276ef6bf647dd8cc781a979284a29b144734a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 15:29:55 -0800 Subject: [PATCH 11/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 79f641e58b..96c3a4434d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -26,7 +26,7 @@ ms.date: 12/08/2020 * [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -## Why attack surface reduction is important +## Why attack surface reduction rules are important Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help! @@ -126,6 +126,25 @@ The following sections describe each of the 16 attack surface reduction rules (i |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | + +### Block Adobe Reader from creating child processes + +This rule prevents attacks by blocking Adobe Reader from creating additional processes. + +Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. + +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +Intune name: Process creation from Adobe Reader (beta) + +Configuration Manager name: Not yet available + +GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` + + ### Block abuse of in-the-wild exploited vulnerable signed drivers This rule prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local applications with sufficient privileges, to gain access to the kernel. It allows attackers to disable or circumvent security solutions, eventually leading to system compromise. @@ -381,23 +400,6 @@ Configuration Manager name: Not yet available GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` -### Block Adobe Reader from creating child processes - -This rule prevents attacks by blocking Adobe Reader from creating additional processes. - -Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. - -This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - -Intune name: Process creation from Adobe Reader (beta) - -Configuration Manager name: Not yet available - -GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` - ### Block persistence through WMI event subscription This rule prevents malware from abusing WMI to attain persistence on a device. From e3a8eb5cc0bfe9e7fd82cc237cb1bb411653bfec Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 15:33:16 -0800 Subject: [PATCH 12/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 74 ++++++++++--------- 1 file changed, 38 insertions(+), 36 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 96c3a4434d..a1f9ff2328 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -144,11 +144,48 @@ Configuration Manager name: Not yet available GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` - ### Block abuse of in-the-wild exploited vulnerable signed drivers This rule prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local applications with sufficient privileges, to gain access to the kernel. It allows attackers to disable or circumvent security solutions, eventually leading to system compromise. +### Block all Office applications from creating child processes + +This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. + +Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: Office apps launching child processes + +Configuration Manager name: Block Office application from creating child processes + +GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` + +### Block credential stealing from the Windows local security authority subsystem + +This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). + +LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. + +> [!NOTE] +> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: Flag credential stealing from the Windows local security authority subsystem + +Configuration Manager name: Block credential stealing from the Windows local security authority subsystem + +GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` ### Block executable content from email client and webmail @@ -169,23 +206,8 @@ Microsoft Endpoint Configuration Manager name: Block executable content from ema GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` -### Block all Office applications from creating child processes -This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. -Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Office apps launching child processes - -Configuration Manager name: Block Office application from creating child processes - -GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` ### Block Office applications from creating executable content @@ -325,26 +347,6 @@ Configuration Manager name: Use advanced protection against ransomware GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` -### Block credential stealing from the Windows local security authority subsystem - -This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). - -LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. - -> [!NOTE] -> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Flag credential stealing from the Windows local security authority subsystem - -Configuration Manager name: Block credential stealing from the Windows local security authority subsystem - -GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` ### Block process creations originating from PSExec and WMI commands From bc44d9d509c5a8f2e84552e9573a7ed6d224c5af Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 15:34:16 -0800 Subject: [PATCH 13/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index a1f9ff2328..260513eca3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -206,6 +206,31 @@ Microsoft Endpoint Configuration Manager name: Block executable content from ema GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` +### Block executable files from running unless they meet a prevalence, age, or trusted list criterion + +This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: + +- Executable files (such as .exe, .dll, or .scr) + +Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. + +> [!IMPORTANT] +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. +> +>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. + +Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria + +GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` + @@ -303,31 +328,6 @@ Configuration Manager name: Block Win32 API calls from Office macros GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` -### Block executable files from running unless they meet a prevalence, age, or trusted list criterion - -This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: - -- Executable files (such as .exe, .dll, or .scr) - -Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. - -> [!IMPORTANT] -> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. -> ->You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. - -Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria - -GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` - ### Use advanced protection against ransomware This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. From 485dddd1c66c9cd61a59118e75676a7ed86ec05a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 18:56:42 -0800 Subject: [PATCH 14/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 260513eca3..93847cb984 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -231,6 +231,25 @@ Configuration Manager name: Block executable files from running unless they meet GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` +### Block execution of potentially obfuscated scripts + +This rule detects suspicious properties within an obfuscated script. + +Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: Obfuscated js/vbs/ps/macro code + +Configuration Manager name: Block execution of potentially obfuscated scripts. + +GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` + + @@ -292,23 +311,6 @@ Configuration Manager name: Block JavaScript or VBScript from launching download GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` -### Block execution of potentially obfuscated scripts - -This rule detects suspicious properties within an obfuscated script. - -Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Obfuscated js/vbs/ps/macro code - -Configuration Manager name: Block execution of potentially obfuscated scripts. - -GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` ### Block Win32 API calls from Office macros From 2b89caa6029ad823779b0565950d37d6bf06f995 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 18:57:37 -0800 Subject: [PATCH 15/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 93847cb984..cbe1e8f611 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -249,6 +249,26 @@ Configuration Manager name: Block execution of potentially obfuscated scripts. GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` +### Block JavaScript or VBScript from launching downloaded executable content + +This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. + +Although not common, line-of-business applications sometimes use scripts to download and launch installers. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: js/vbs executing payload downloaded from Internet (no exceptions) + +Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content + +GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` + + + @@ -293,24 +313,6 @@ Configuration Manager name: Block Office applications from injecting code into o GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` -### Block JavaScript or VBScript from launching downloaded executable content - -This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. - -Although not common, line-of-business applications sometimes use scripts to download and launch installers. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: js/vbs executing payload downloaded from Internet (no exceptions) - -Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content - -GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` - ### Block Win32 API calls from Office macros From 54caf7a6057c09e89b23686073aea776d1423f4f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 18:58:13 -0800 Subject: [PATCH 16/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index cbe1e8f611..1c6113b283 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -267,12 +267,6 @@ Configuration Manager name: Block JavaScript or VBScript from launching download GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` - - - - - - ### Block Office applications from creating executable content This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. @@ -314,6 +308,9 @@ Configuration Manager name: Block Office applications from injecting code into o GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` + + + ### Block Win32 API calls from Office macros This rule prevents VBA macros from calling Win32 APIs. From 7664f71e2fc5125b730cd5469ddc0b7c812b7344 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 18:59:04 -0800 Subject: [PATCH 17/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 40 ++++++++++--------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 1c6113b283..7142e05183 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -307,6 +307,27 @@ Configuration Manager name: Block Office applications from injecting code into o GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` +### Block Office communication application from creating child processes + +This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. + +This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. + +> [!NOTE] +> This rule applies to Outlook and Outlook.com only. + +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +Intune name: Process creation from Office communication products (beta) + +Configuration Manager name: Not yet available + +GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` + + @@ -383,25 +404,6 @@ Configuration Manager name: Block untrusted and unsigned processes that run from GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` -### Block Office communication application from creating child processes - -This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. - -This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. - -> [!NOTE] -> This rule applies to Outlook and Outlook.com only. - -This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - -Intune name: Process creation from Office communication products (beta) - -Configuration Manager name: Not yet available - -GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` ### Block persistence through WMI event subscription From 1f2925545a996dee46c4527106688ce68da3f703 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 18:59:48 -0800 Subject: [PATCH 18/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 7142e05183..0ea54f5923 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -327,6 +327,24 @@ Configuration Manager name: Not yet available GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` +### Block persistence through WMI event subscription + +This rule prevents malware from abusing WMI to attain persistence on a device. + +> [!IMPORTANT] +> File and folder exclusions don't apply to this attack surface reduction rule. + +Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. + +This rule was introduced in: +- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) +- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) + +Intune name: Not yet available + +Configuration Manager name: Not yet available + +GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` @@ -405,24 +423,6 @@ Configuration Manager name: Block untrusted and unsigned processes that run from GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` -### Block persistence through WMI event subscription - -This rule prevents malware from abusing WMI to attain persistence on a device. - -> [!IMPORTANT] -> File and folder exclusions don't apply to this attack surface reduction rule. - -Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. - -This rule was introduced in: -- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) -- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) - -Intune name: Not yet available - -Configuration Manager name: Not yet available - -GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` ## Related topics From d089263968e2480e06633e890c1dd73185924b7d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 19:00:29 -0800 Subject: [PATCH 19/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 0ea54f5923..8d6ba4c1f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -346,6 +346,23 @@ Configuration Manager name: Not yet available GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` +### Block process creations originating from PSExec and WMI commands + +This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network. + +> [!WARNING] +> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +Intune name: Process creation from PSExec and WMI commands + +Configuration Manager name: Not applicable + +GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c` @@ -388,23 +405,6 @@ Configuration Manager name: Use advanced protection against ransomware GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` -### Block process creations originating from PSExec and WMI commands - -This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network. - -> [!WARNING] -> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - -Intune name: Process creation from PSExec and WMI commands - -Configuration Manager name: Not applicable - -GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c` ### Block untrusted and unsigned processes that run from USB From 100a71a76311e5582389479daf7c1e542a149ac1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 19:01:10 -0800 Subject: [PATCH 20/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 8d6ba4c1f2..7ec2e7d5af 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -364,6 +364,22 @@ Configuration Manager name: Not applicable GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c` +### Block untrusted and unsigned processes that run from USB + +With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr) + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: Untrusted and unsigned processes that run from USB + +Configuration Manager name: Block untrusted and unsigned processes that run from USB + +GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` + @@ -406,22 +422,6 @@ GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` -### Block untrusted and unsigned processes that run from USB - -With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr) - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Untrusted and unsigned processes that run from USB - -Configuration Manager name: Block untrusted and unsigned processes that run from USB - -GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` - ## Related topics From aee396ee5b7dcc4c63afc32bae55e88f3b66f726 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 19:01:53 -0800 Subject: [PATCH 21/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 7ec2e7d5af..022ded468b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -380,9 +380,6 @@ Configuration Manager name: Block untrusted and unsigned processes that run from GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` - - - ### Block Win32 API calls from Office macros This rule prevents VBA macros from calling Win32 APIs. @@ -420,11 +417,7 @@ Configuration Manager name: Use advanced protection against ransomware GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` - - - - -## Related topics +## See also - [Attack surface reduction FAQ](attack-surface-reduction-faq.md) From 32870ff648a54e7013e66ebe0c345c619f27fce1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 19:03:11 -0800 Subject: [PATCH 22/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 022ded468b..a4b6de8412 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -110,7 +110,7 @@ The following sections describe each of the 16 attack surface reduction rules (i | Rule name | GUID | File & folder exclusions | Minimum OS supported | |-----|-----|-----|-----| |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|Block abuse of in-the-wild exploited vulnerable signed drivers (NEW!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | | | +|[Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (NEW!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | | | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | From b5963c80a5e67dc11f907fbb98b6b92fb515dae7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 19:05:07 -0800 Subject: [PATCH 23/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index a4b6de8412..c5af8a7084 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -126,7 +126,6 @@ The following sections describe each of the 16 attack surface reduction rules (i |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | - ### Block Adobe Reader from creating child processes This rule prevents attacks by blocking Adobe Reader from creating additional processes. From 808a5d8aa56125f51f92e4caf42c4c96cbf64961 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 19:32:52 -0800 Subject: [PATCH 24/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index c5af8a7084..5c8ba4c01b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -52,6 +52,15 @@ In the recommendation details pane, check the user impact to determine what perc Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +## Warn mode for users + +(NEW!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. WHen a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. + +Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. + +> [!IMPORTANT] +> Warn mode is supported on devices running Windows 10, version 1809 or later and [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later. + ## Notifications when a rule is triggered Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center. @@ -214,7 +223,7 @@ This rule blocks the following file types from launching unless they meet preval Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. > [!IMPORTANT] -> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly. > >You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. From 00a45c74efca525a2ece151d6abc9e10c9abd6a2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 19:34:09 -0800 Subject: [PATCH 25/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 5c8ba4c01b..21528e4f76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -59,7 +59,7 @@ Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduc Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. > [!IMPORTANT] -> Warn mode is supported on devices running Windows 10, version 1809 or later and [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later. +> Warn mode is supported on devices running [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later and [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later. ## Notifications when a rule is triggered From 4b09543e092a79668803673823cc84928df9d32f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 19:37:01 -0800 Subject: [PATCH 26/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 21528e4f76..c626505f1c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -59,7 +59,11 @@ Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduc Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. > [!IMPORTANT] -> Warn mode is supported on devices running [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later and [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later. +> Warn mode is supported on devices running the following versions of Windows: +> - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later +> - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later +> +> Attack surface reduction rules that are configured in warn mode will run in block mode on devices that are running older versions of Windows. ## Notifications when a rule is triggered From 91b2f9dcd4daa90b372909a08a6b819c914903a8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 19:37:33 -0800 Subject: [PATCH 27/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index c626505f1c..2864b35d75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -54,7 +54,7 @@ Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduc ## Warn mode for users -(NEW!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. WHen a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. +(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. WHen a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. From d5f7ee335630bb348d0c04ba54e08d4a3073b658 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Dec 2020 19:47:49 -0800 Subject: [PATCH 28/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 2864b35d75..1d817cfb03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -123,7 +123,7 @@ The following sections describe each of the 16 attack surface reduction rules (i | Rule name | GUID | File & folder exclusions | Minimum OS supported | |-----|-----|-----|-----| |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (NEW!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | | | +|[Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (NEW!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | |- Windows 10 Pro, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows 10 Enterprise, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, version [1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later
- Windows Server 2019 | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | @@ -160,6 +160,24 @@ GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` This rule prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local applications with sufficient privileges, to gain access to the kernel. It allows attackers to disable or circumvent security solutions, eventually leading to system compromise. +This rule does not block a driver already existing on the system from being loaded. + +> [!TIP] +> You can submit a driver for analysis at the [Microsoft Security Intelligence site](https://www.microsoft.com/wdsi/driversubmission). + +This rule is supported on all versions of Windows where attack surface reduction rules are currently supported: +- Windows 10 Pro, version 1709 or later +- Windows 10 Enterprise, version 1709 or later +- Windows Server, version 1803 (Semi-Annual Channel) or later +- Windows Server 2019 + +Intune Name: Block abuse of exploited vulnerable signed drivers + +Configuration Manager name: Not Applicable + +Rule guid: `56a863a9-875e-4185-98a7-b882c64b5ce5` + + ### Block all Office applications from creating child processes This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. From 92779ec0840a7b397e3f1abc7e37964ccaf05f17 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 06:41:34 -0800 Subject: [PATCH 29/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 1d817cfb03..3b653eb7af 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -123,7 +123,7 @@ The following sections describe each of the 16 attack surface reduction rules (i | Rule name | GUID | File & folder exclusions | Minimum OS supported | |-----|-----|-----|-----| |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (NEW!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | |- Windows 10 Pro, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows 10 Enterprise, version [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, version [1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later
- Windows Server 2019 | +|[Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (NEW!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | From b6d3059c29c6d2aad1df0a842034642b1c10e6da Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 07:50:07 -0800 Subject: [PATCH 30/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 3b653eb7af..1143c590b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -17,7 +17,7 @@ ms.custom: asr ms.date: 12/08/2020 --- -# Reduce attack surfaces with attack surface reduction rules +# Protect your devices and network from malware with attack surface reduction rules [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] From d71aad7c7d42f1800fac43fe95fcfd290c1d342d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 08:25:13 -0800 Subject: [PATCH 31/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 1143c590b6..45872223b0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -17,7 +17,7 @@ ms.custom: asr ms.date: 12/08/2020 --- -# Protect your devices and network from malware with attack surface reduction rules +# Use attack surface reduction rules to prevent malware infection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] From 262b0e754031dbf1c98974f59a292dbfbb529354 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 09:26:05 -0800 Subject: [PATCH 32/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 45872223b0..9d66ce2298 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -14,7 +14,7 @@ ms.author: deniseb ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr -ms.date: 12/08/2020 +ms.date: 12/09/2020 --- # Use attack surface reduction rules to prevent malware infection From 11f0faae52716f09f6ec1f828a9101ab5fd73bf0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 09:44:42 -0800 Subject: [PATCH 33/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 35 +++++++++---------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 9d66ce2298..d577b90969 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -122,8 +122,8 @@ The following sections describe each of the 16 attack surface reduction rules (i | Rule name | GUID | File & folder exclusions | Minimum OS supported | |-----|-----|-----|-----| -|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (NEW!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | @@ -139,23 +139,6 @@ The following sections describe each of the 16 attack surface reduction rules (i |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -### Block Adobe Reader from creating child processes - -This rule prevents attacks by blocking Adobe Reader from creating additional processes. - -Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. - -This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - -Intune name: Process creation from Adobe Reader (beta) - -Configuration Manager name: Not yet available - -GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` - ### Block abuse of in-the-wild exploited vulnerable signed drivers This rule prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local applications with sufficient privileges, to gain access to the kernel. It allows attackers to disable or circumvent security solutions, eventually leading to system compromise. @@ -177,6 +160,22 @@ Configuration Manager name: Not Applicable Rule guid: `56a863a9-875e-4185-98a7-b882c64b5ce5` +### Block Adobe Reader from creating child processes + +This rule prevents attacks by blocking Adobe Reader from creating additional processes. + +Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. + +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +Intune name: Process creation from Adobe Reader (beta) + +Configuration Manager name: Not yet available + +GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` ### Block all Office applications from creating child processes From f4f563de441c1322b9cd38e07d53f3c78d5f703f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 16:34:00 -0800 Subject: [PATCH 34/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 35 ++++++++++++++----- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index d577b90969..a36f13ab7b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -58,12 +58,26 @@ Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduc Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. -> [!IMPORTANT] -> Warn mode is supported on devices running the following versions of Windows: -> - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later -> - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -> -> Attack surface reduction rules that are configured in warn mode will run in block mode on devices that are running older versions of Windows. +### Requirements for warn mode to work + +Warn mode is supported on devices running the following versions of Windows: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later + +Minimum CAMP release requirement: 4.18.2008.9 +Minimum Engine release requirement: 17400 + +### Warn mode is not supported for some attack surface reduction rules + +Warn mode is not supported for the following attack surface reduction rules: +- [Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (GUID `56a863a9-875e-4185-98a7-b882c64b5ce5`) +- [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`) +- [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`) +- [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`) + +Attack surface reduction rules that are configured in warn mode will run in block mode on devices that are running older versions of Windows. + + ## Notifications when a rule is triggered @@ -118,10 +132,13 @@ The "engine version" listed for attack surface reduction events in the event log ## Attack surface reduction rules -The following sections describe each of the 16 attack surface reduction rules (in alphabetical order of rule name). This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: +The following table and subsections describe each of the 16 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name. + +If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs. + | Rule name | GUID | File & folder exclusions | Minimum OS supported | -|-----|-----|-----|-----| +|:-----|:-----:|:-----|:-----| |[Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (NEW!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | @@ -141,7 +158,7 @@ The following sections describe each of the 16 attack surface reduction rules (i ### Block abuse of in-the-wild exploited vulnerable signed drivers -This rule prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local applications with sufficient privileges, to gain access to the kernel. It allows attackers to disable or circumvent security solutions, eventually leading to system compromise. +(**NEW**!) This rule prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local applications with sufficient privileges, to gain access to the kernel. It allows attackers to disable or circumvent security solutions, eventually leading to system compromise. This rule does not block a driver already existing on the system from being loaded. From dceb30e4c68e788afa800c1ddfe3a13ca61374ce Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 16:38:09 -0800 Subject: [PATCH 35/53] Update TOC.md --- windows/security/threat-protection/TOC.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f9ae070935..79487e7cc2 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -185,9 +185,7 @@ ###### [Report on antivirus protection]() ###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) ###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md) - -###### [Manage updates and apply baselines]() -###### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) +###### [Learn about the recent updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) ###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) ###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) ###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) From 2f324dedd1f35b63694716c8f260717aab8bd94b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 16:52:59 -0800 Subject: [PATCH 36/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index a36f13ab7b..e10bf2816b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -64,8 +64,11 @@ Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -Minimum CAMP release requirement: 4.18.2008.9 -Minimum Engine release requirement: 17400 +In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed +- Minimum platform release requirement: `4.18.2008.9` +- Minimum engine release requirement: `1.1.17400.5` + +For more information, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform). ### Warn mode is not supported for some attack surface reduction rules From d9d0388a5901654d0278d9f800aa2dd44fb46ded Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 17:01:26 -0800 Subject: [PATCH 37/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index e10bf2816b..6319fcee8b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -68,23 +68,21 @@ In addition, make sure [Microsoft Defender Antivirus and antimalware updates](ht - Minimum platform release requirement: `4.18.2008.9` - Minimum engine release requirement: `1.1.17400.5` -For more information, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform). +For more information and to get your updates, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform). -### Warn mode is not supported for some attack surface reduction rules +### Cases where warn mode is not supported -Warn mode is not supported for the following attack surface reduction rules: -- [Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (GUID `56a863a9-875e-4185-98a7-b882c64b5ce5`) +Warn mode is not supported for the following four attack surface reduction rules: +- (NEW!) [Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (GUID `56a863a9-875e-4185-98a7-b882c64b5ce5`) - [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`) - [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`) - [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`) -Attack surface reduction rules that are configured in warn mode will run in block mode on devices that are running older versions of Windows. - - +In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode. ## Notifications when a rule is triggered -Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center. +Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)). ## Attack surface reduction features across Windows versions From 6085c05391a266f9106c57e06c2a417248bbf80c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 17:21:39 -0800 Subject: [PATCH 38/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 6319fcee8b..6e9d5e5bfe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -52,6 +52,21 @@ In the recommendation details pane, check the user impact to determine what perc Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +## Silent auditing + +(**NEW**!) To add security value, a sample of attack surface reduction audit events are now collected on devices that do not have attack surface reduction rules enabled in either audit mode or block mode. + +By default, attack surface reduction rules are not enabled in audit mode. Silent auditing is a new capability that collects events for the following four attack surface reduction rules: +- [Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) +- [Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) +- [Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) +- [Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) + +The other attack surface reduction rules that are not configured will not have any auditing events collected. And, you can disable silent auditing by disabling the rules. + +> [!NOTE] +> Currently, auditing events are not viewable in advanced hunting. + ## Warn mode for users (**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. WHen a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. @@ -140,7 +155,7 @@ If you are configuring attack surface reduction rules by using Group Policy or P | Rule name | GUID | File & folder exclusions | Minimum OS supported | |:-----|:-----:|:-----|:-----| -|[Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (NEW!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (**NEW**!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | From ccbddd6847d80b675c6d40bfc3e606ef73174122 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 17:26:39 -0800 Subject: [PATCH 39/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 6e9d5e5bfe..6a73600f8d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -174,7 +174,7 @@ If you are configuring attack surface reduction rules by using Group Policy or P ### Block abuse of in-the-wild exploited vulnerable signed drivers -(**NEW**!) This rule prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local applications with sufficient privileges, to gain access to the kernel. It allows attackers to disable or circumvent security solutions, eventually leading to system compromise. +(**NEW**!) This new rule prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local applications with sufficient privileges, to gain access to the kernel. It allows attackers to disable or circumvent security solutions, eventually leading to system compromise. This rule does not block a driver already existing on the system from being loaded. @@ -187,7 +187,7 @@ This rule is supported on all versions of Windows where attack surface reduction - Windows Server, version 1803 (Semi-Annual Channel) or later - Windows Server 2019 -Intune Name: Block abuse of exploited vulnerable signed drivers +Intune Name: `Block abuse of exploited vulnerable signed drivers` Configuration Manager name: Not Applicable @@ -204,7 +204,7 @@ This rule was introduced in: - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Intune name: Process creation from Adobe Reader (beta) +Intune name: `Process creation from Adobe Reader (beta)` Configuration Manager name: Not yet available @@ -222,9 +222,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Office apps launching child processes +Intune name: `Office apps launching child processes` -Configuration Manager name: Block Office application from creating child processes +Configuration Manager name: `Block Office application from creating child processes` GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` @@ -243,9 +243,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Flag credential stealing from the Windows local security authority subsystem +Intune name: `Flag credential stealing from the Windows local security authority subsystem` -Configuration Manager name: Block credential stealing from the Windows local security authority subsystem +Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem` GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` @@ -262,9 +262,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) +Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)` -Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail +Microsoft Endpoint Configuration Manager name: `Block executable content from email client and webmail` GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` @@ -287,9 +287,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. +Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria` -Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria +Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria` GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` @@ -305,9 +305,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Obfuscated js/vbs/ps/macro code +Intune name: `Obfuscated js/vbs/ps/macro code` -Configuration Manager name: Block execution of potentially obfuscated scripts. +Configuration Manager name: `Block execution of potentially obfuscated scripts` GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` @@ -323,9 +323,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: js/vbs executing payload downloaded from Internet (no exceptions) +Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)` -Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content +Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content` GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` @@ -333,7 +333,7 @@ GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. - Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. +Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) @@ -341,9 +341,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager) -Intune name: Office apps/macros creating executable content +Intune name: `Office apps/macros creating executable content` -SCCM name: Block Office applications from creating executable content +SCCM name: `Block Office applications from creating executable content` GUID: `3B576869-A4EC-4529-8536-B80A7769E899` @@ -363,9 +363,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Office apps injecting code into other processes (no exceptions) +Intune name: `Office apps injecting code into other processes (no exceptions)` -Configuration Manager name: Block Office applications from injecting code into other processes +Configuration Manager name: `Block Office applications from injecting code into other processes` GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` @@ -383,9 +383,9 @@ This rule was introduced in: - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Intune name: Process creation from Office communication products (beta) +Intune name: `Process creation from Office communication products (beta)` -Configuration Manager name: Not yet available +Configuration Manager name: Not available GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` @@ -402,9 +402,9 @@ This rule was introduced in: - [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) - [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) -Intune name: Not yet available +Intune name: Not available -Configuration Manager name: Not yet available +Configuration Manager name: Not available GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` From 3fa1f0577656d6f052b3d9e2e44448a3999d2fef Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 17:27:58 -0800 Subject: [PATCH 40/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 6a73600f8d..8a4e322ae0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -420,7 +420,7 @@ This rule was introduced in: - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Intune name: Process creation from PSExec and WMI commands +Intune name: `Process creation from PSExec and WMI commands` Configuration Manager name: Not applicable @@ -436,9 +436,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Untrusted and unsigned processes that run from USB +Intune name: `Untrusted and unsigned processes that run from USB` -Configuration Manager name: Block untrusted and unsigned processes that run from USB +Configuration Manager name: `Block untrusted and unsigned processes that run from USB` GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` @@ -454,9 +454,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Win32 imports from Office macro code +Intune name: `Win32 imports from Office macro code` -Configuration Manager name: Block Win32 API calls from Office macros +Configuration Manager name: `Block Win32 API calls from Office macros` GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` @@ -473,9 +473,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Advanced ransomware protection +Intune name: `Advanced ransomware protection` -Configuration Manager name: Use advanced protection against ransomware +Configuration Manager name: `Use advanced protection against ransomware` GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` From 9ad86a573616ec14810c9b9b576ee5ce9e815a16 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 17:34:22 -0800 Subject: [PATCH 41/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 8a4e322ae0..b67df3ca92 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -44,7 +44,7 @@ For more information about configuring attack surface reduction rules, see [Enab You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). -:::image type="content" source="images/asrrecommendation.png" alt-text="Security recommendation for ASR rule"::: +:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule"::: In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity. @@ -54,7 +54,7 @@ Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduc ## Silent auditing -(**NEW**!) To add security value, a sample of attack surface reduction audit events are now collected on devices that do not have attack surface reduction rules enabled in either audit mode or block mode. +(**NEW**!) To add security value, a sample of attack surface reduction audit events is now collected on devices that do not have attack surface reduction rules enabled in either audit mode or block mode. The collected events are throttled to 100 events per device By default, attack surface reduction rules are not enabled in audit mode. Silent auditing is a new capability that collects events for the following four attack surface reduction rules: - [Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) @@ -69,7 +69,7 @@ The other attack surface reduction rules that are not configured will not have a ## Warn mode for users -(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. WHen a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. +(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. @@ -136,7 +136,7 @@ You can review the Windows event log to view events generated by attack surface 5. Select **OK**. -This will create a custom view that filters events to only show the following, all of which are related to controlled folder access: +You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: |Event ID | Description | |---|---| @@ -212,7 +212,7 @@ GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` ### Block all Office applications from creating child processes -This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access. Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. From ecfec7b56dc664418fc3cf0e4c0af9cb105b87f5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Dec 2020 17:36:16 -0800 Subject: [PATCH 42/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index b67df3ca92..9cbb770158 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -232,7 +232,7 @@ GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). -LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. +LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. > [!NOTE] > In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. @@ -373,7 +373,7 @@ GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. -This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. +This rule protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. > [!NOTE] > This rule applies to Outlook and Outlook.com only. From eeac52a8eb5b05446a61c9b4e4727dccd7f892bd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 14:47:58 -0800 Subject: [PATCH 43/53] Update attack-surface-reduction.md --- .../attack-surface-reduction.md | 43 ++----------------- 1 file changed, 3 insertions(+), 40 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 9cbb770158..fc88435234 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -52,21 +52,6 @@ In the recommendation details pane, check the user impact to determine what perc Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -## Silent auditing - -(**NEW**!) To add security value, a sample of attack surface reduction audit events is now collected on devices that do not have attack surface reduction rules enabled in either audit mode or block mode. The collected events are throttled to 100 events per device - -By default, attack surface reduction rules are not enabled in audit mode. Silent auditing is a new capability that collects events for the following four attack surface reduction rules: -- [Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) -- [Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) -- [Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) -- [Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) - -The other attack surface reduction rules that are not configured will not have any auditing events collected. And, you can disable silent auditing by disabling the rules. - -> [!NOTE] -> Currently, auditing events are not viewable in advanced hunting. - ## Warn mode for users (**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. @@ -87,8 +72,8 @@ For more information and to get your updates, see [Update for Microsoft Defender ### Cases where warn mode is not supported -Warn mode is not supported for the following four attack surface reduction rules: -- (NEW!) [Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (GUID `56a863a9-875e-4185-98a7-b882c64b5ce5`) +Warn mode is not supported for the following attack surface reduction rules: + - [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`) - [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`) - [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`) @@ -148,14 +133,13 @@ The "engine version" listed for attack surface reduction events in the event log ## Attack surface reduction rules -The following table and subsections describe each of the 16 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name. +The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name. If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs. | Rule name | GUID | File & folder exclusions | Minimum OS supported | |:-----|:-----:|:-----|:-----| -|[Block abuse of in-the-wild exploited vulnerable signed drivers](#block-abuse-of-in-the-wild-exploited-vulnerable-signed-drivers) (**NEW**!) |`56a863a9-875e-4185-98a7-b882c64b5ce5` | |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | @@ -172,27 +156,6 @@ If you are configuring attack surface reduction rules by using Group Policy or P |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -### Block abuse of in-the-wild exploited vulnerable signed drivers - -(**NEW**!) This new rule prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local applications with sufficient privileges, to gain access to the kernel. It allows attackers to disable or circumvent security solutions, eventually leading to system compromise. - -This rule does not block a driver already existing on the system from being loaded. - -> [!TIP] -> You can submit a driver for analysis at the [Microsoft Security Intelligence site](https://www.microsoft.com/wdsi/driversubmission). - -This rule is supported on all versions of Windows where attack surface reduction rules are currently supported: -- Windows 10 Pro, version 1709 or later -- Windows 10 Enterprise, version 1709 or later -- Windows Server, version 1803 (Semi-Annual Channel) or later -- Windows Server 2019 - -Intune Name: `Block abuse of exploited vulnerable signed drivers` - -Configuration Manager name: Not Applicable - -Rule guid: `56a863a9-875e-4185-98a7-b882c64b5ce5` - ### Block Adobe Reader from creating child processes This rule prevents attacks by blocking Adobe Reader from creating additional processes. From 423558a767557cf82ff659b6de501ab668f43e83 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 14:49:49 -0800 Subject: [PATCH 44/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index fc88435234..3456c7128e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -14,7 +14,7 @@ ms.author: deniseb ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr -ms.date: 12/09/2020 +ms.date: 12/10/2020 --- # Use attack surface reduction rules to prevent malware infection From 792cee0b921da14f53d254ec41f7b0ddd50e4001 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 15:05:43 -0800 Subject: [PATCH 45/53] Update controlled-folders.md --- .../microsoft-defender-atp/controlled-folders.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 272d1480ec..ae6fe0d261 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb audience: ITPro -ms.date: 11/05/2020 +ms.date: 12/10/2020 ms.reviewer: v-maave manager: dansimp ms.custom: asr @@ -44,6 +44,19 @@ Controlled folder access is especially useful in helping to protect your documen The protected folders include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. +By default, the following Windows system folders are protected: +- `c:\Users\\Documents` +- `c:\Users\Public\Documents` +- `c:\Users\\Pictures` +- `c:\Users\Public\Pictures` +- `c:\Users\Public\Videos` +- `c:\Users\\Music` +- `c:\Users\Public\Music` +- `c:\Users\\Favorites` + +> [!NOTE] +> You cannot remove the Windows system folders that are protected by default. + You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. From e5ce0046d22ffd7543e4c6d582387ef1f820d3cc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 15:27:07 -0800 Subject: [PATCH 46/53] Update controlled-folders.md --- .../controlled-folders.md | 69 +++++++------------ 1 file changed, 24 insertions(+), 45 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index ae6fe0d261..b6163d243c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -40,11 +40,20 @@ Controlled folder access works with a list of trusted software. If an app is inc Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console. +## Why controlled folder access is important + Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -The protected folders include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. +The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. + +You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + +Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. + +## Windows system folders are protected by default + +Your Windows system folders are protected by default, along with several other folders. These folders include: -By default, the following Windows system folders are protected: - `c:\Users\\Documents` - `c:\Users\Public\Documents` - `c:\Users\\Pictures` @@ -55,13 +64,9 @@ By default, the following Windows system folders are protected: - `c:\Users\\Favorites` > [!NOTE] -> You cannot remove the Windows system folders that are protected by default. +> You can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default. -You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. - -Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. - -## Requirements +## Requirements for controlled folder access Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md). @@ -90,19 +95,21 @@ You can review the Windows event log to see events that are created when control 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md). -5. Click **OK**. +5. Select **OK**. After following the procedure, you have created a custom view that shows events related to controlled folder access, as listed in the following table: |Event ID | Description | -|---|---| +|:---|:---| |5007 | Event when settings are changed | |1124 | Audited controlled folder access event | |1123 | Blocked controlled folder access event | ## View or change the list of protected folders -### Windows 10 security app +You can use the Windows Security app to view the list of folders that are protected by controlled folder access. + +### View or change the list of protected folders using the Windows Security app 1. On your Windows 10 device, open the Windows Security app. @@ -118,39 +125,11 @@ After following the procedure, you have created a custom view that shows events - To remove a folder, select it, and then select **Remove**. +> [!NOTE] +> [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. + ## See also -- [Evaluate controlled folder access](evaluate-controlled-folder-access.md). Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created. - - -## Default folders protected by controlled folder access -Windows system folders are protected by default. In addition, there are several folders that are protected by controlled folder access by default. You can configure additional folders as protected, but cannot remove the default folders from the controlled folder access protection. See [Protect additional folders](customize-controlled-folders.md#protect-additional-folders) for more information. - -Here's the list of default protected folders: -- %USERPROFILE%\Documents -- %USERPROFILE%\Favorites -- %USERPROFILE%\Music -- %USERPROFILE%\Pictures -- %USERPROFILE%\Videos -- %PUBLIC%\Documents -- %PUBLIC%\Music -- %PUBLIC%\Pictures -- %PUBLIC%\Videos - -You can use the Windows Security app to view the list of default folders protected by controlled folder access: - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then scroll down to the **Ransomware protection** section. - -3. Click the **Manage ransomware protection** link to open the **Ransomware protection** pane. - -4. Under the **Controlled folder access** section, click the **Protected folders** link. - -5. Click **Yes** on the **User Access Control** prompt. - - The **Protected folders** pane displays the folders that are protected by default. - -## In this section - - [Customize controlled folder access](customize-controlled-folders.md). Add additional protected folders, and allow specified apps to access protected folders. +- [Evaluate controlled folder access](evaluate-controlled-folder-access.md) +- [Customize controlled folder access](customize-controlled-folders.md) +- [Protect additional folders](customize-controlled-folders.md#protect-additional-folders) From 3ca7c1e48fea27de53a415d1eeea584992d1b7a3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 15:31:10 -0800 Subject: [PATCH 47/53] Update controlled-folders.md --- .../microsoft-defender-atp/controlled-folders.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index b6163d243c..e034c4b032 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -74,7 +74,7 @@ Controlled folder access requires enabling [Microsoft Defender Antivirus real-ti Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use [advanced hunting](advanced-hunting-overview.md) to see how controlled folder access settings would affect your environment if they were enabled. Example query: From 5372f7c669a3b4de919b62e387111d50b8242ff1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 15:46:11 -0800 Subject: [PATCH 48/53] Update controlled-folders.md --- .../microsoft-defender-atp/controlled-folders.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index e034c4b032..7919059f93 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -36,9 +36,11 @@ Controlled folder access works best with [Microsoft Defender for Endpoint](../mi Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. -Controlled folder access works with a list of trusted software. If an app is included in the list of trusted software, the app works as expected. If not, the app is blocked from making any changes to files that are inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list. +Controlled folder access works with a list of trusted apps. If an app is included in the list of trusted software, it works as expected. If not, the app is prevented from making any changes to files that are inside protected folders. -Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console. +Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically. + +Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. ## Why controlled folder access is important @@ -48,7 +50,9 @@ The [protected folders](#review-controlled-folder-access-events-in-windows-event You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. +Controlled folder access is supported on the following versions of Windows: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) and later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) ## Windows system folders are protected by default From ec1510a6960ac6c68a40bd44553e72b61bb50a69 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 15:47:04 -0800 Subject: [PATCH 49/53] Update controlled-folders.md --- .../microsoft-defender-atp/controlled-folders.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 7919059f93..27801e48ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -56,7 +56,7 @@ Controlled folder access is supported on the following versions of Windows: ## Windows system folders are protected by default -Your Windows system folders are protected by default, along with several other folders. These folders include: +Windows system folders are protected by default, along with several other folders: - `c:\Users\\Documents` - `c:\Users\Public\Documents` @@ -113,8 +113,6 @@ After following the procedure, you have created a custom view that shows events You can use the Windows Security app to view the list of folders that are protected by controlled folder access. -### View or change the list of protected folders using the Windows Security app - 1. On your Windows 10 device, open the Windows Security app. 2. Select **Virus & threat protection**. From 4d545467ba94a4463f74498184a84d778a7a184f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 15:50:20 -0800 Subject: [PATCH 50/53] Update controlled-folders.md --- .../microsoft-defender-atp/controlled-folders.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 27801e48ad..80ec62a312 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -28,7 +28,7 @@ ms.custom: asr ## What is controlled folder access? -Controlled folder access helps you protect your valuable data from malicious apps and threats, like ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App or in Microsoft Endpoint Configuration Manager and Intune (for managed devices). +Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). @@ -101,7 +101,7 @@ You can review the Windows event log to see events that are created when control 5. Select **OK**. -After following the procedure, you have created a custom view that shows events related to controlled folder access, as listed in the following table: +The following table shows events related to controlled folder access: |Event ID | Description | |:---|:---| From 3b7c523096c9671083fd656ddcfc6da580cdb9ed Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 16:02:47 -0800 Subject: [PATCH 51/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 3456c7128e..a512161c89 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -80,9 +80,13 @@ Warn mode is not supported for the following attack surface reduction rules: In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode. -## Notifications when a rule is triggered +## Notifications and alerts -Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)). +Whenever an attack surface reduction rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. + +In addition, when certain attack surface reduction rules are triggered, alerts are generated. + +Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)). ## Attack surface reduction features across Windows versions From e005e8860f8dbefc1b992e0861b6ccd5ddb9ea78 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 16:09:10 -0800 Subject: [PATCH 52/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index a512161c89..b1e863e72f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -82,7 +82,7 @@ In addition, warn mode is not supported on devices running older versions of Win ## Notifications and alerts -Whenever an attack surface reduction rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. +Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. In addition, when certain attack surface reduction rules are triggered, alerts are generated. From 3ddc1b52199709a15a64aa29c69dad5fd96138e7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 16:25:01 -0800 Subject: [PATCH 53/53] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index b1e863e72f..a0586d3024 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -88,6 +88,14 @@ In addition, when certain attack surface reduction rules are triggered, alerts a Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)). +## Advanced hunting and attack surface reduction events + +You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour. + +For example, suppose that an attack surface reduction event occurs on ten devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on ten devices), and its timestamp will be 2:15 PM. + +For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md). + ## Attack surface reduction features across Windows versions You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: