Defender-for-Endpoint/AttackSurfaceReductionRules.json at main · Kaidja/Defender-for-Endpoint · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
[
    {
        "Name":  "Block abuse of exploited vulnerable signed drivers",
        "GUID":  "56a863a9-875e-4185-98a7-b882c64b5ce5",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block Adobe Reader from creating child processes",
        "GUID":  "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block all Office applications from creating child processes",
        "GUID":  "D4F940AB-401B-4EFC-AADC-AD5F3C50688A",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block credential stealing from the Windows local security authority subsystem (lsass.exe)",
        "GUID":  "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block executable content from email client and webmail",
        "GUID":  "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block executable files from running unless they meet a prevalence, age, or trusted list criterion",
        "GUID":  "01443614-cd74-433a-b99e-2ecdc07bfc25",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block execution of potentially obfuscated scripts",
        "GUID":  "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block JavaScript or VBScript from launching downloaded executable content",
        "GUID":  "D3E037E1-3EB8-44C8-A917-57927947596D",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block Office applications from creating executable content",
        "GUID":  "3B576869-A4EC-4529-8536-B80A7769E899",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block Office applications from injecting code into other processes",
        "GUID":  "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block Office communication application from creating child processes",
        "GUID":  "26190899-1602-49e8-8b27-eb1d0a1ce869",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block persistence through WMI event subscription",
        "GUID":  "e6db77e5-3df2-4cf1-b95a-636979351e5b",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block process creations originating from PSExec and WMI commands",
        "GUID":  "d1e49aac-8f56-4280-b9ba-993a6d77406c",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block untrusted and unsigned processes that run from USB",
        "GUID":  "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4",
        "Status":  "Enabled"
    },
    {
        "Name":  "Block Win32 API calls from Office macros",
        "GUID":  "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B",
        "Status":  "Enabled"
    },
    {
        "Name":  "Use advanced protection against ransomware",
        "GUID":  "c1db55ab-c21a-4637-bb3f-a12568109d35",
        "Status":  "Enabled"
    }
]