Windows_Security
Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Mar 13, 2016
- 1,298
Exploit Guard Attck Surface Reduction Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
Exploit Guard per application mitigation Enable or disable specific mitigations used by Exploit protection
Not a discussion on how un-user friendly Microsoft has implemented these mitigations, but a question on what attack vectors remain after applying foolowing tweaks for poisoned OFFICE documents.
Exploit Guard per application mitigation (for Winword, Powerpnt, Excel)
a) Block remote images (Prevents loading of images from remote devices)
b) Code integrity guard (Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images.)
c) Disable extension points (Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers.)
d) Do not allow child processes - prefer this one through GUI instead of clunky ps1 script (Prevents an app from creating child processes.)
ASR rules through PS-1 script (run powershell as admin and copy these lines)
# Block Office applications from injecting code into other processes
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
# Block Office applications from creating executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
# Block JavaScript or VBScript from launching downloaded executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
# Block execution of potentially obfuscated scripts
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
# Block executable content from email client and webmail
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
# Block Win32 API calls from Office macro
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
Anyone is of-course free to give his opinion, but I hope the techies (like (@cruelsister , @Opcode @Lockdown , @Andy Ful etc) find some time to post their comments also.
Thanks
Exploit Guard per application mitigation Enable or disable specific mitigations used by Exploit protection
Not a discussion on how un-user friendly Microsoft has implemented these mitigations, but a question on what attack vectors remain after applying foolowing tweaks for poisoned OFFICE documents.
Exploit Guard per application mitigation (for Winword, Powerpnt, Excel)
a) Block remote images (Prevents loading of images from remote devices)
b) Code integrity guard (Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images.)
c) Disable extension points (Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers.)
d) Do not allow child processes - prefer this one through GUI instead of clunky ps1 script (Prevents an app from creating child processes.)
ASR rules through PS-1 script (run powershell as admin and copy these lines)
# Block Office applications from injecting code into other processes
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
# Block Office applications from creating executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
# Block JavaScript or VBScript from launching downloaded executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
# Block execution of potentially obfuscated scripts
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
# Block executable content from email client and webmail
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
# Block Win32 API calls from Office macro
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
Anyone is of-course free to give his opinion, but I hope the techies (like (@cruelsister , @Opcode @Lockdown , @Andy Ful etc) find some time to post their comments also.
Thanks