Attack Mac OS
Although Mac OS attacks occur less often than Windows OS attacks, the implications of an attack happening on either OS can be lethal. If you work in cybersecurity, you know that attack trends are a thing. There’s always some new hotness in attacker Tactics, Techniques, and Procedures (TTPs), which often parallels the TTPs of security red teamers. STILL NEED HELP? Want to ask other users with the same product a question? Join the conversation. Below are the tactics and techniques representing the MITRE ATT&CK ® Matrix for Enterprise. The Matrix contains information for the macOS platform. Step 1: Activate recovery mode when the Mac computer is turned on. (This can be done by holding down the command and R keys) Step 2: Click on Utilities Menu from the menu bar and select Firmware Password Utility. Step 3: Click on Turn on Firmware Password and follow the wizard. When done, restart your Mac.
A kernel panic (sometimes abbreviated as KP[1]) is a safety measure taken by an operating system's kernel upon detecting an internal fatal error in which either it is unable to safely recover or continuing to run the system would have a higher risk of major data loss. The term is largely specific to Unix and Unix-like systems. For Microsoft Windows operating systems the equivalent term is 'Stop error', resulting in a bug check[2] screen that presents the bug check code on a blue background in early versions of Windows (colloquially known as a 'Blue Screen of Death' or BSoD), or on a green background on the Xbox One platform as well as in Windows 10 preview builds.[3]
The kernel routines that handle panics, known as panic()
in AT&T-derived and BSD Unix source code, are generally designed to output an error message to the console, dump an image of kernel memory to disk for post-mortem debugging, and then either wait for the system to be manually rebooted, or initiate an automatic reboot.[4] The information provided is of a highly technical nature and aims to assist a system administrator or software developer in diagnosing the problem. Kernel panics can also be caused by errors originating outside kernel space. For example, many Unix operating systems panic if the init process, which runs in user space, terminates.[5][6]
History[edit]
The Unix kernel maintains internal consistency and runtime correctness with assertions as the fault detection mechanism. The basic assumption is that the hardware and the software should perform correctly and a failure of an assertion results in a panic, i.e. a voluntary halt to all system activity.[7] The kernel panic was introduced in an early version of Unix and demonstrated a major difference between the design philosophies of Unix and its predecessor Multics. Multics developer Tom van Vleck recalls a discussion of this change with Unix developer Dennis Ritchie:
I remarked to Dennis that easily half the code I was writing in Multics was error recovery code. He said, 'We left all that stuff out. If there's an error, we have this routine called panic, and when it is called, the machine crashes, and you holler down the hall, 'Hey, reboot it.'[8]
The original panic()
function was essentially unchanged from Fifth Edition UNIX to the VAX-based UNIX 32V and output only an error message with no other information, then dropped the system into an endless idle loop.
Source code of panic()
function in V6 UNIX:[9]
As the Unix codebase was enhanced, the panic()
function was also enhanced to dump various forms of debugging information to the console.
Causes[edit]
A panic may occur as a result of a hardware failure or a software bug in the operating system. In many cases, the operating system is capable of continued operation after an error has occurred. However, the system is in an unstable state and rather than risking security breaches and data corruption, the operating system stops to prevent further damage and facilitate diagnosis of the error and, in usual cases, restart.[10]
After recompiling a kernel binary image from source code, a kernel panic while booting the resulting kernel is a common problem if the kernel was not correctly configured, compiled or installed.[11] Add-on hardware or malfunctioning RAM could also be sources of fatal kernel errors during start up, due to incompatibility with the OS or a missing device driver.[12] A kernel may also go into panic()
if it is unable to locate a root file system.[13] During the final stages of kernel userspace initialization, a panic is typically triggered if the spawning of init fails. A panic might also be triggered if the init process terminates, as the system would then be unusable.[14]
The following is an implementation of the Linux kernel final initialization in kernel_init()
:[15]
Operating system specifics[edit]
Linux[edit]
Kernel panics appear in Linux like in other Unix-like systems, but they can also generate another kind of error condition, known as a kernel oops.[16] In this case, the kernel normally continues to run after killing the offending process. As an oops could cause some subsystems or resources to become unavailable, they can later lead to a full kernel panic.
On Linux, a kernel panic causes keyboard LEDs to blink as a visual indication of a critical condition.[17]
macOS[edit]
When a kernel panic occurs in Mac OS X 10.2 through 10.7, the computer displays a multilingual message informing the user that they need to reboot the system.[18] Prior to 10.2, a more traditional Unix-style panic message was displayed; in 10.8 and later, the computer automatically reboots and displays a message after the restart. The format of the message varies from version to version:[19]
- 10.0–10.1: The system displays text on the screen, giving details about the error, and becomes unresponsive.
- 10.2: Rolls down a black transparent curtain then displays a message on a white background informing the user that they should restart the computer. The message is shown in English, French, German and Japanese.
- 10.3–10.5: The kernel panic is almost the same as version 10.2 but the background of the error screen is black.
- 10.6–10.7-10.8: The text has been revised and now includes a Spanish translation.
- 10.9 and later: The computer becomes unresponsive before it immediately reboots. When the computer starts back up, it shows a warning message for a few seconds about the computer restarting because of a kernel panic, and then the computer restarts back up. The message now includes a Chinese translation.
Sometimes when there are five or more kernel panics within three minutes of the first one, the Mac will display a prohibitory sign for 30 seconds, and then shut down (this is known as a 'recurring kernel panic').
In all versions above 10.2, the text is superimposed on a standby symbol and is not full screen. Debugging information is saved in NVRAM and written to a log file on reboot. In 10.7 there is a feature to automatically restart after a kernel panic. In some cases, on 10.2 and later, white text detailing the error may appear in addition to the standby symbol.
Mac OS X 10.0–10.1 kernel panic
Mac OS X 10.2 kernel panic
Mac OS X 10.3–10.5 kernel panic
Mac OS X 10.6 and 10.7 kernel panic
Message shown after the computer restarts because of a kernel panic in OS X 10.8 and later versions
See also[edit]
Wikimedia Commons has media related to Kernel panic. |
References[edit]
- ^'KP - Kernel Panic (Linux) AcronymFinder'. www.acronymfinder.com. Retrieved January 6, 2016.
- ^'Bug Checks (Blue Screens)'. Hardware Dev Center - Microsoft.
- ^Hoffman, Chris. 'Did You Know Windows 10 Has a Green Screen of Death?'. How-To Geek. Retrieved June 4, 2020.
- ^'FreeBSD 11.0 - man page for panic (freebsd section 9) - Unix & Linux Commands'. www.unix.com.
- ^'boot failure-init died - Unix Linux Forums - HP-UX'. www.unix.com.
- ^Randolph J. Herber (September 1, 1999). 'Re: PANIC: init died'. Newsgroup: comp.sys.sgi.admin.
- ^Daniel P. Siewiorek; Robert S. Swarz (1998). Reliable computer systems: design and evaluation. A K Peters, Ltd. p. 622. ISBN978-1-56881-092-8. Retrieved May 6, 2011.
- ^'Unix and Multics'. www.multicians.org.
- ^Source code /usr/sys/ken/prf.c from V6 UNIX
- ^Steven M. Hancock (November 22, 2002). Tru64 UNIX troubleshooting: diagnosing and correcting system problemsHP Technologies SeriesITPro collection. Digital Press. pp. 119–126. ISBN978-1-55558-274-6. Retrieved May 3, 2011.
- ^Michael Jang (2006). Linux annoyances for geeks. O'Reilly Media, Inc. pp. 267–274. ISBN978-0-596-00801-7. Retrieved April 29, 2011.
- ^David Pogue (December 17, 2009). Switching to the Mac: The Missing Manual, Snow Leopard Edition. O'Reilly Media, Inc. p. 589. ISBN978-0-596-80425-1. Retrieved May 4, 2011.
- ^Greg Kroah-Hartman (2007). Linux kernel in a nutshell. O'Reilly Media, Inc. p. 59. ISBN978-0-596-10079-7. Retrieved May 3, 2011.
- ^Wolfgang Mauerer (September 26, 2008). Professional Linux Kernel Architecture. John Wiley and Sons. pp. 1238–1239. ISBN978-0-470-34343-2. Retrieved May 3, 2011.
- ^linux/init/main.c, LXR Cross Referencer
- ^'Linux Device Drivers, Chapter 4'(PDF).
- ^James Kirkland; David Carmichael; Christopher L. Tinker; Gregory L. Tinker (May 2006). Linux Troubleshooting for System Administrators and Power Users. Prentice Hall. p. 62. ISBN9780132797399. Retrieved February 5, 2016.
- ^'OS X: About kernel panics - Apple Support'. support.apple.com.
- ^'A New Screen of Death for Mac OS X'. OSXBook.com.
Applies to:
Why attack surface reduction rules are important
Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!
Attack surface reduction rules target certain software behaviors, such as:
- Launching executable files and scripts that attempt to download or run files;
- Running obfuscated or otherwise suspicious scripts; and
- Performing behaviors that apps don't usually initiate during normal day-to-day work.
Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.
For more information about configuring attack surface reduction rules, see Enable attack surface reduction rules.
Assess rule impact before deployment
You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in threat and vulnerability management.
In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.
Audit mode for evaluation
Use audit mode to evaluate how attack surface reduction rules would affect your organization if they were enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without reducing productivity.
Warn mode for users
(NEW!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.
Requirements for warn mode to work
Warn mode is supported on devices running the following versions of Windows:
- Windows 10, version 1809 or later
- Windows Server, version 1809 or later
Microsoft Defender Antivirus must be running with real-time protection in Active mode.
In addition, make sure Microsoft Defender Antivirus and antimalware updates are installed.
- Minimum platform release requirement:
4.18.2008.9
- Minimum engine release requirement:
1.1.17400.5
For more information and to get your updates, see Update for Microsoft Defender antimalware platform.
Cases where warn mode is not supported
Warn mode is not supported for three attack surface reduction rules when you configure them in Microsoft Endpoint Manager. (If you use Group Policy to configure your attack surface reduction rules, warn mode is supported.) The three rules that do not support warn mode when you configure them in Microsoft Endpoint Manager are as follows:
- Block JavaScript or VBScript from launching downloaded executable content (GUID
d3e037e1-3eb8-44c8-a917-57927947596d
) - Block persistence through WMI event subscription (GUID
e6db77e5-3df2-4cf1-b95a-636979351e5b
) - Use advanced protection against ransomware (GUID
c1db55ab-c21a-4637-bb3f-a12568109d35
)
In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.
Notifications and alerts
Attack Mac Os X
Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can customize the notification with your company details and contact information.
In addition, when certain attack surface reduction rules are triggered, alerts are generated.
Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center (https://securitycenter.windows.com) and in the Microsoft 365 security center (https://security.microsoft.com).
Advanced hunting and attack surface reduction events
You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour.
For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM.
For more information about advanced hunting, see Proactively hunt for threats with advanced hunting.
Attack surface reduction features across Windows versions
You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:
- Windows 10 Pro, version 1709 or later
- Windows 10 Enterprise, version 1709 or later
- Windows Server, version 1803 (Semi-Annual Channel) or later
Although attack surface reduction rules don't require a Windows E5 license, if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in Defender for Endpoint, as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
Review attack surface reduction events in the Microsoft Defender Security Center
Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios.
You can query Defender for Endpoint data by using advanced hunting. If you're running audit mode, you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
Here is an example query:
Review attack surface reduction events in Windows Event Viewer
You can review the Windows event log to view events generated by attack surface reduction rules:
- Download the Evaluation Package and extract the file cfa-events.xml to an easily accessible location on the device.
- Enter the words, Event Viewer, into the Start menu to open the Windows Event Viewer.
- Under Actions, select Import custom view....
- Select the file cfa-events.xml from where it was extracted. Alternatively, copy the XML directly.
- Select OK.
You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:
Event ID | Description |
---|---|
5007 | Event when settings are changed |
1121 | Event when rule fires in Block-mode |
1122 | Event when rule fires in Audit-mode |
The 'engine version' listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
Attack surface reduction rules
The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name.
If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs.
Rule name | GUID | File & folder exclusions | Minimum OS supported |
---|---|---|---|
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported | Windows 10, version 1903 (build 18362) or greater |
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block Win32 API calls from Office macros | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported | Windows 10, version 1709 (RS3, build 16299) or greater |
Block Adobe Reader from creating child processes
This rule prevents attacks by blocking Adobe Reader from creating processes.
Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
This rule was introduced in:
Intune name: Process creation from Adobe Reader (beta)
Configuration Manager name: Not yet available
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block all Office applications from creating child processes
This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
This rule was introduced in:
Intune name: Office apps launching child processes
Configuration Manager name: Block Office application from creating child processes
GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block credential stealing from the Windows local security authority subsystem
This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
Note
In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
This rule was introduced in:
Intune name: Flag credential stealing from the Windows local security authority subsystem
Configuration Manager name: Block credential stealing from the Windows local security authority subsystem
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block executable content from email client and webmail
This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)
This rule was introduced in:
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
Microsoft Endpoint Manager name: Block executable content from email client and webmail
GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Note
The rule Block executable content from email client and webmail has the following alternative descriptions, depending on which application you use:
- Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions).
- Endpoint Manager: Block executable content download from email and webmail clients.
- Group Policy: Block executable content from email client and webmail.
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
- Executable files (such as .exe, .dll, or .scr)
Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
Important
You must enable cloud-delivered protection to use this rule.
The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25
is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
This rule was introduced in:
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
Block execution of potentially obfuscated scripts
This rule detects suspicious properties within an obfuscated script.
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
This rule was introduced in:
Intune name: Obfuscated js/vbs/ps/macro code
Configuration Manager name: Block execution of potentially obfuscated scripts
GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block JavaScript or VBScript from launching downloaded executable content
This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
Although not common, line-of-business applications sometimes use scripts to download and launch installers.
This rule was introduced in:
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
Block Office applications from creating executable content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
This rule was introduced in:
- System Center Configuration Manager (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
Intune name: Office apps/macros creating executable content
SCCM name: Block Office applications from creating executable content
GUID: 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes
This rule blocks code injection attempts from Office apps into other processes.
Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.
There are no known legitimate business purposes for using code injection.
This rule applies to Word, Excel, and PowerPoint.
This rule was introduced in:
Intune name: Office apps injecting code into other processes (no exceptions)
Configuration Manager name: Block Office applications from injecting code into other processes
GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block Office communication application from creating child processes
This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
Attack Mac Os Download
This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against Outlook rules and forms exploits that attackers can use when a user's credentials are compromised.
Note
This rule applies to Outlook and Outlook.com only.
This rule was introduced in:
Intune name: Process creation from Office communication products (beta)
Configuration Manager name: Not available
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
Block persistence through WMI event subscription
This rule prevents malware from abusing WMI to attain persistence on a device.
Important
File and folder exclusions don't apply to this attack surface reduction rule.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
This rule was introduced in:
Intune name: Not available
Configuration Manager name: Not available
GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
Block process creations originating from PSExec and WMI commands
This rule blocks processes created through PsExec and WMI from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
Warning
Only use this rule if you're managing your devices with Intune or another MDM solution. This rule is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
This rule was introduced in:
Intune name: Process creation from PSExec and WMI commands
Configuration Manager name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
This rule was introduced in:
Intune name: Untrusted and unsigned processes that run from USB
Configuration Manager name: Block untrusted and unsigned processes that run from USB
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Win32 API calls from Office macros
This rule prevents VBA macros from calling Win32 APIs.
Office VBA enables Win32 API calls. Malware can abuse this capability, such as calling Win32 APIs to launch malicious shellcode without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
This rule was introduced in:
Intune name: Win32 imports from Office macro code
Configuration Manager name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule does not block files that have one or more of the following characteristics:
- The file has already been found to be unharmful in the Microsoft cloud.
- The file is a valid signed file.
- The file is prevalent enough to not be considered as ransomware.
The rule tends to err on the side of caution to prevent ransomware.
Note
You must enable cloud-delivered protection to use this rule.
This rule was introduced in:
Intune name: Advanced ransomware protection
Configuration Manager name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35