From f8563c8c0789e1bc87cab683f4140b4e8e83a764 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 28 Jan 2019 10:39:44 -0800 Subject: [PATCH] Rewrote ASR topics. --- .../attack-surface-reduction-exploit-guard.md | 35 ++---- .../enable-attack-surface-reduction.md | 116 +++--------------- 2 files changed, 26 insertions(+), 125 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 6db53d2fcf..584ec7aaf4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -78,9 +78,6 @@ This rule blocks the following file types from being run or launched from an ema - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - Script archive files ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block all Office applications from creating child processes Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. @@ -93,28 +90,18 @@ This rule targets typical behaviors used by suspicious and malicious add-ons and Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. - ### Rule: Block Office applications from injecting code into other processes - Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block JavaScript or VBScript From launching downloaded executable content JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. - ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block execution of potentially obfuscated scripts Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. @@ -147,9 +134,6 @@ This rule provides an extra layer of protection against ransomware. Executable f Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - >[!NOTE] >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. @@ -157,6 +141,9 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. +>[!IMPORTANT] +>File and folder exclusions do not apply to this ASR rule. + >[!WARNING] >[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] @@ -183,17 +170,17 @@ You can review the Windows event log to see events that are created when an atta 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. +2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. -2. On the left panel, under **Actions**, click **Import custom view...** +3. On the left panel, under **Actions**, click **Import custom view...** ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) -3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). +4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). -4. Click **OK**. +5. Click **OK**. -5. This will create a custom view that filters to only show the following events related to attack surface reduction rules: +6. This will create a custom view that filters to only show the following events related to attack surface reduction rules: Event ID | Description -|- @@ -201,8 +188,6 @@ You can review the Windows event log to see events that are created when an atta 1122 | Event when rule fires in Audit-mode 1121 | Event when rule fires in Block-mode - - ### Event fields - **ID**: matches with the Rule-ID that triggered the block/audit. @@ -211,11 +196,9 @@ You can review the Windows event log to see events that are created when an atta - **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus - ## In this section + ## Related topics Topic | Description ---|--- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. -[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. - diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 2d6e86d1fb..ca38fa84c6 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -28,15 +28,21 @@ You can exclude files and folders from being evaluated by most attack surface re > >If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). -You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. Exclusions apply to all rules that are enabled or are set to audit mode. +>[!IMPORTANT] +>File and folder exclusions do not apply to the **Block process creations originating from PSExec and WMI commands** ASR rule. -Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. Exclusions apply to all ASR rules that are enabled or are set to audit mode, except for the **Block process creations originating from PSExec and WMI commands**. -The procedures below for enabling ASR rules include instructions for how to exclude files and folders. +ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). + +The following procedures for enabling ASR rules include instructions for how to exclude files and folders. ## Enable and audit attack surface reduction rules -You're most likely to use Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or MDM CSPs. +It's best to use an enterprise-level management platform like Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or third-party mobile device management (MDM) CSPs. + +>[!WARNING] +>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy or PowerShell settings on startup. For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md). @@ -62,7 +68,10 @@ For further details on how audit mode works and when to use it, see [Audit Windo For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy). -### Enable ASR rules with group policy +### Enable ASR rules with Group Policy + +>[!WARNING] +>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup. 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -82,6 +91,9 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr ### Enable ASR rules with PowerShell +>[!WARNING] +>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. + 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: @@ -133,97 +145,3 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) - [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) - - - -**OLD TOPIC FOR COMPARISON** - -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. - -## Enable and audit attack surface reduction rules - -You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode. - -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). - -Attack surface reduction rules are identified by their unique rule ID. - -You can manually add the rules by using the GUIDs in the following table: - -Rule description | GUID --|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 -Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c -Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 -Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - -See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. - -### Use Group Policy to enable or audit attack surface reduction rules - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. - -4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: - - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - - Block mode = 1 - - Disabled = 0 - - Audit mode = 2 - -![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) - -### Use PowerShell to enable or audit attack surface reduction rules - -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** -2. Enter the following cmdlet: - - ```PowerShell - Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled - ``` - -You can enable the feature in audit mode using the following cmdlet: - -```PowerShell -Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode -``` -Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. - ->[!IMPORTANT> ->You must specify the state individually for each rule, but you can combine rules and states in a comma seperated list. -> ->In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: -> ->```PowerShell ->Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode ->``` - - -You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. - ->[!WARNING] ->`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. ->You can obtain a list of rules and their current state by using `Get-MpPreference` - - -### Use MDM CSPs to enable attack surface reduction rules - -Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. - -## Related topics - -- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) -- [Customize attack surface reduction](customize-attack-surface-reduction.md) -- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)