You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/attack-surface-reduction-rules-reference.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ ms.localizationpriority: medium
7
7
audience: ITPro
8
8
author: paulinbar
9
9
ms.author: painbar
10
-
ms.reviewer: sugamar, yongrhee
10
+
ms.reviewer: sugamar, ericlaw
11
11
manager: bagol
12
12
ms.custom: asr
13
13
ms.topic: reference
@@ -462,7 +462,7 @@ Dependencies: Microsoft Defender Antivirus, AMSI
462
462
463
463
### Block Office applications from creating executable content
464
464
465
-
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. Malware that abuses Office as a vector might attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. This rule also blocks execution of untrusted files that might have been saved by Office macros that are allowed to run in Office files.
465
+
This rule prevents Office apps, including Word, Excel, and PowerPoint, from being used as a vector to persist malicious code on disk. Malware that abuses Office as a vector might attempt to save malicious components to disk that would survive a computer reboot and persist on the system. This rule defends against this persistence technique by blocking access (open/execute) to the code written to disk. This rule also blocks execution of untrusted files that might have been saved by Office macros that are allowed to run in Office files.
@@ -579,10 +579,7 @@ Dependencies: Microsoft Defender Antivirus
579
579
580
580
### Block rebooting machine in Safe Mode
581
581
582
-
> [!NOTE]
583
-
> This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Windows and Windows Servers.
584
-
585
-
This rule prevents the execution of commands to restart machines in Safe Mode. Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.
582
+
This rule prevents the execution of certain commands to restart machines in Safe Mode. In Windows' Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or execute and encrypt all files on the machine. This rule blocks such abuse of Safe Mode by preventing commonly abused commands like `bcdedit` and `bootcfg` from restarting machines in Safe Mode. Safe Mode is still accessible manually from the Windows Recovery Environment.
586
583
587
584
Intune Name: ` Block rebooting machine in Safe Mode`
588
585
@@ -598,6 +595,9 @@ Advanced hunting action type:
598
595
599
596
Dependencies: Microsoft Defender Antivirus
600
597
598
+
> [!NOTE]
599
+
> This rule is not yet recognized by Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show it as "Not applicable".
600
+
601
601
### Block untrusted and unsigned processes that run from USB
602
602
603
603
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
@@ -620,9 +620,6 @@ Dependencies: Microsoft Defender Antivirus
620
620
621
621
### Block use of copied or impersonated system tools
622
622
623
-
> [!NOTE]
624
-
> This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Windows and Windows Servers.
625
-
626
623
This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. Some malicious programs might try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and impostors of the system tools on Windows machines.
627
624
628
625
Intune Name: `Block use of copied or impersonated system tools`
@@ -641,6 +638,9 @@ Advanced hunting action type:
641
638
642
639
Dependencies: Microsoft Defender Antivirus
643
640
641
+
> [!NOTE]
642
+
> This rule is not yet recognized by Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show it as "Not applicable".
643
+
644
644
### Block Webshell creation for Servers
645
645
646
646
This rule blocks web shell script creation on Microsoft Server, Exchange Role. A web shell script is a crafted script that allows an attacker to control the compromised server.
> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management. This feature isn't supported in Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show as "Not applicable" for Exchange servers.
657
+
> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management. This rule is not yet recognized by Threat and Vulnerability Management, so the Attack Surface Reduction rule report will show it as "Not applicable".
0 commit comments