mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-22 18:27:23 +00:00
245 lines
13 KiB
Markdown
245 lines
13 KiB
Markdown
---
|
|
title: Use Attack surface reduction rules to prevent malware infection
|
|
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
|
|
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
|
|
search.product: eADQiWindows 10XVcnh
|
|
ms.pagetype: security
|
|
ms.prod: w10
|
|
ms.mktglfcycl: manage
|
|
ms.sitesec: library
|
|
ms.pagetype: security
|
|
localizationpriority: medium
|
|
author: andreabichsel
|
|
ms.author: v-anbic
|
|
ms.date: 04/30/2018
|
|
---
|
|
|
|
|
|
|
|
# Reduce attack surfaces with Windows Defender Exploit Guard
|
|
|
|
|
|
**Applies to:**
|
|
|
|
- Windows 10, version 1709 and later
|
|
- Microsoft Office 365
|
|
- Microsoft Office 2016
|
|
- Microsoft Office 2013
|
|
- Microsoft Office 2010
|
|
|
|
|
|
|
|
|
|
**Audience**
|
|
|
|
- Enterprise security administrators
|
|
|
|
|
|
**Manageability available with**
|
|
|
|
- Group Policy
|
|
- PowerShell
|
|
- Configuration service providers for mobile device management
|
|
|
|
|
|
Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
|
|
|
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
|
|
|
|
>[!TIP]
|
|
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
|
|
|
|
Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
|
|
|
|
The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
|
|
|
|
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
|
|
- Scripts that are obfuscated or otherwise suspicious
|
|
- Behaviors that apps undertake that are not usually initiated during normal day-to-day work
|
|
|
|
See the [Attack surface reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule.
|
|
|
|
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
|
|
|
|
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled.
|
|
|
|
## Requirements
|
|
|
|
Attack surface reduction requires Windows 10 Enterprise E5 and Windows Defender AV real-time protection.
|
|
|
|
Windows 10 version | Windows Defender Antivirus
|
|
- | -
|
|
Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled
|
|
|
|
## Attack surface reduction rules
|
|
|
|
Windows 10, version 1803 has five new Attack surface reduction rules:
|
|
|
|
- Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
|
- Use advanced protection against ransomware
|
|
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|
|
- Block process creations originating from PSExec and WMI commands
|
|
- Block untrusted and unsigned processes that run from USB
|
|
|
|
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
|
|
|
|
Rule name | GUID
|
|
-|-
|
|
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
|
|
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
|
|
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
|
|
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
|
|
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
|
|
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
|
|
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
|
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
|
|
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
|
|
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
|
|
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
|
|
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
|
|
|
|
The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
|
|
|
|
Supported Office apps:
|
|
- Microsoft Word
|
|
- Microsoft Excel
|
|
- Microsoft PowerPoint
|
|
- Microsoft OneNote
|
|
|
|
The rules do not apply to any other Office apps.
|
|
|
|
### Rule: Block executable content from email client and webmail
|
|
|
|
|
|
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
|
|
|
|
- Executable files (such as .exe, .dll, or .scr)
|
|
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
|
- Script archive files
|
|
|
|
>[!IMPORTANT]
|
|
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
|
|
|
|
### Rule: Block Office applications from creating child processes
|
|
|
|
Office apps, such as Word or Excel, will not be allowed to create child processes.
|
|
|
|
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
|
|
|
|
### Rule: Block Office applications from creating executable content
|
|
|
|
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
|
|
|
|
Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
|
|
|
|
|
|
### Rule: Block Office applications from injecting code into other processes
|
|
|
|
|
|
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes.
|
|
|
|
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
|
|
|
|
|
|
>[!IMPORTANT]
|
|
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
|
|
|
|
### Rule: Block JavaScript or VBScript From launching downloaded executable content
|
|
|
|
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
|
|
|
|
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
|
|
|
|
|
|
>[!IMPORTANT]
|
|
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
|
|
|
|
### Rule: Block execution of potentially obfuscated scripts
|
|
|
|
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
|
|
|
|
This rule prevents scripts that appear to be obfuscated from running.
|
|
|
|
It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
|
|
|
|
### Rule: Block Win32 API calls from Office macro
|
|
|
|
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
|
|
|
|
This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs.
|
|
|
|
### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
|
|
|
This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
|
|
|
|
- Executable files (such as .exe, .dll, or .scr)
|
|
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
|
|
|
### Rule: Use advanced protection against ransomware
|
|
|
|
This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
|
|
|
|
### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|
|
|
|
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
|
|
|
|
>[!IMPORTANT]
|
|
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
|
|
|
|
### Rule: Block process creations originating from PSExec and WMI commands
|
|
|
|
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
|
|
|
|
>[!WARNING]
|
|
>[Only use this rule if you are managing your devices with Intune or other MDM solution. If you use this rule with SCCM, it will prevent SCCM compliance rules from working, because this rule blocks the PSExec commands in SCCM.]
|
|
|
|
### Rule: Block untrusted and unsigned processes that run from USB
|
|
|
|
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
|
|
|
|
- Executable files (such as .exe, .dll, or .scr)
|
|
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
|
|
|
## Review Attack surface reduction events in Windows Event Viewer
|
|
|
|
You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):
|
|
|
|
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
|
|
|
|
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
|
|
|
|
2. On the left panel, under **Actions**, click **Import custom view...**
|
|
|
|
|
|
|
|
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
|
|
|
4. Click **OK**.
|
|
|
|
5. This will create a custom view that filters to only show the following events related to Attack surface reduction:
|
|
|
|
Event ID | Description
|
|
-|-
|
|
5007 | Event when settings are changed
|
|
1122 | Event when rule fires in Audit-mode
|
|
1121 | Event when rule fires in Block-mode
|
|
|
|
|
|
|
|
### Event fields
|
|
|
|
- **ID**: matches with the Rule-ID that triggered the block/audit.
|
|
- **Detection time**: Time of detection
|
|
- **Process Name**: The process that performed the "operation" that was blocked/audited
|
|
- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
|
|
|
|
|
|
## In this section
|
|
|
|
Topic | Description
|
|
---|---
|
|
[Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
|
|
[Enable Attack surface reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack surface reduction in your network.
|
|
[Customize Attack surface reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack surface reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.
|
|
|