Attack Mac OS

Although Mac OS attacks occur less often than Windows OS attacks, the implications of an attack happening on either OS can be lethal. If you work in cybersecurity, you know that attack trends are a thing. There’s always some new hotness in attacker Tactics, Techniques, and Procedures (TTPs), which often parallels the TTPs of security red teamers. STILL NEED HELP? Want to ask other users with the same product a question? Join the conversation. Below are the tactics and techniques representing the MITRE ATT&CK ® Matrix for Enterprise. The Matrix contains information for the macOS platform. Step 1: Activate recovery mode when the Mac computer is turned on. (This can be done by holding down the command and R keys) Step 2: Click on Utilities Menu from the menu bar and select Firmware Password Utility. Step 3: Click on Turn on Firmware Password and follow the wizard. When done, restart your Mac.

A kernel panic message from a Linux system
Kernel panic in Ubuntu 13.04 (Linux 3.8) in Oracle VM VirtualBox

A kernel panic (sometimes abbreviated as KP[1]) is a safety measure taken by an operating system's kernel upon detecting an internal fatal error in which either it is unable to safely recover or continuing to run the system would have a higher risk of major data loss. The term is largely specific to Unix and Unix-like systems. For Microsoft Windows operating systems the equivalent term is 'Stop error', resulting in a bug check[2] screen that presents the bug check code on a blue background in early versions of Windows (colloquially known as a 'Blue Screen of Death' or BSoD), or on a green background on the Xbox One platform as well as in Windows 10 preview builds.[3]

The kernel routines that handle panics, known as panic() in AT&T-derived and BSD Unix source code, are generally designed to output an error message to the console, dump an image of kernel memory to disk for post-mortem debugging, and then either wait for the system to be manually rebooted, or initiate an automatic reboot.[4] The information provided is of a highly technical nature and aims to assist a system administrator or software developer in diagnosing the problem. Kernel panics can also be caused by errors originating outside kernel space. For example, many Unix operating systems panic if the init process, which runs in user space, terminates.[5][6]

History[edit]

The Unix kernel maintains internal consistency and runtime correctness with assertions as the fault detection mechanism. The basic assumption is that the hardware and the software should perform correctly and a failure of an assertion results in a panic, i.e. a voluntary halt to all system activity.[7] The kernel panic was introduced in an early version of Unix and demonstrated a major difference between the design philosophies of Unix and its predecessor Multics. Multics developer Tom van Vleck recalls a discussion of this change with Unix developer Dennis Ritchie:

I remarked to Dennis that easily half the code I was writing in Multics was error recovery code. He said, 'We left all that stuff out. If there's an error, we have this routine called panic, and when it is called, the machine crashes, and you holler down the hall, 'Hey, reboot it.'[8]

The original panic() function was essentially unchanged from Fifth Edition UNIX to the VAX-based UNIX 32V and output only an error message with no other information, then dropped the system into an endless idle loop.

Source code of panic() function in V6 UNIX:[9]

As the Unix codebase was enhanced, the panic() function was also enhanced to dump various forms of debugging information to the console.

Causes[edit]

A panic may occur as a result of a hardware failure or a software bug in the operating system. In many cases, the operating system is capable of continued operation after an error has occurred. However, the system is in an unstable state and rather than risking security breaches and data corruption, the operating system stops to prevent further damage and facilitate diagnosis of the error and, in usual cases, restart.[10]

After recompiling a kernel binary image from source code, a kernel panic while booting the resulting kernel is a common problem if the kernel was not correctly configured, compiled or installed.[11] Add-on hardware or malfunctioning RAM could also be sources of fatal kernel errors during start up, due to incompatibility with the OS or a missing device driver.[12] A kernel may also go into panic() if it is unable to locate a root file system.[13] During the final stages of kernel userspace initialization, a panic is typically triggered if the spawning of init fails. A panic might also be triggered if the init process terminates, as the system would then be unusable.[14]

The following is an implementation of the Linux kernel final initialization in kernel_init():[15]

Operating system specifics[edit]

Linux[edit]

Kernel panic as seen on an iKVM console

Kernel panics appear in Linux like in other Unix-like systems, but they can also generate another kind of error condition, known as a kernel oops.[16] In this case, the kernel normally continues to run after killing the offending process. As an oops could cause some subsystems or resources to become unavailable, they can later lead to a full kernel panic.

On Linux, a kernel panic causes keyboard LEDs to blink as a visual indication of a critical condition.[17]

macOS[edit]

When a kernel panic occurs in Mac OS X 10.2 through 10.7, the computer displays a multilingual message informing the user that they need to reboot the system.[18] Prior to 10.2, a more traditional Unix-style panic message was displayed; in 10.8 and later, the computer automatically reboots and displays a message after the restart. The format of the message varies from version to version:[19]

  • 10.0–10.1: The system displays text on the screen, giving details about the error, and becomes unresponsive.
  • 10.2: Rolls down a black transparent curtain then displays a message on a white background informing the user that they should restart the computer. The message is shown in English, French, German and Japanese.
  • 10.3–10.5: The kernel panic is almost the same as version 10.2 but the background of the error screen is black.
  • 10.6–10.7-10.8: The text has been revised and now includes a Spanish translation.
  • 10.9 and later: The computer becomes unresponsive before it immediately reboots. When the computer starts back up, it shows a warning message for a few seconds about the computer restarting because of a kernel panic, and then the computer restarts back up. The message now includes a Chinese translation.

Sometimes when there are five or more kernel panics within three minutes of the first one, the Mac will display a prohibitory sign for 30 seconds, and then shut down (this is known as a 'recurring kernel panic').

In all versions above 10.2, the text is superimposed on a standby symbol and is not full screen. Debugging information is saved in NVRAM and written to a log file on reboot. In 10.7 there is a feature to automatically restart after a kernel panic. In some cases, on 10.2 and later, white text detailing the error may appear in addition to the standby symbol.

  • Mac OS X 10.0–10.1 kernel panic

  • Mac OS X 10.2 kernel panic

  • Mac OS X 10.3–10.5 kernel panic

  • Mac OS X 10.6 and 10.7 kernel panic

  • Message shown after the computer restarts because of a kernel panic in OS X 10.8 and later versions

See also[edit]

Wikimedia Commons has media related to Kernel panic.

References[edit]

  1. ^'KP - Kernel Panic (Linux) AcronymFinder'. www.acronymfinder.com. Retrieved January 6, 2016.
  2. ^'Bug Checks (Blue Screens)'. Hardware Dev Center - Microsoft.
  3. ^Hoffman, Chris. 'Did You Know Windows 10 Has a Green Screen of Death?'. How-To Geek. Retrieved June 4, 2020.
  4. ^'FreeBSD 11.0 - man page for panic (freebsd section 9) - Unix & Linux Commands'. www.unix.com.
  5. ^'boot failure-init died - Unix Linux Forums - HP-UX'. www.unix.com.
  6. ^Randolph J. Herber (September 1, 1999). 'Re: PANIC: init died'. Newsgroup: comp.sys.sgi.admin.
  7. ^Daniel P. Siewiorek; Robert S. Swarz (1998). Reliable computer systems: design and evaluation. A K Peters, Ltd. p. 622. ISBN978-1-56881-092-8. Retrieved May 6, 2011.
  8. ^'Unix and Multics'. www.multicians.org.
  9. ^Source code /usr/sys/ken/prf.c from V6 UNIX
  10. ^Steven M. Hancock (November 22, 2002). Tru64 UNIX troubleshooting: diagnosing and correcting system problemsHP Technologies SeriesITPro collection. Digital Press. pp. 119–126. ISBN978-1-55558-274-6. Retrieved May 3, 2011.
  11. ^Michael Jang (2006). Linux annoyances for geeks. O'Reilly Media, Inc. pp. 267–274. ISBN978-0-596-00801-7. Retrieved April 29, 2011.
  12. ^David Pogue (December 17, 2009). Switching to the Mac: The Missing Manual, Snow Leopard Edition. O'Reilly Media, Inc. p. 589. ISBN978-0-596-80425-1. Retrieved May 4, 2011.
  13. ^Greg Kroah-Hartman (2007). Linux kernel in a nutshell. O'Reilly Media, Inc. p. 59. ISBN978-0-596-10079-7. Retrieved May 3, 2011.
  14. ^Wolfgang Mauerer (September 26, 2008). Professional Linux Kernel Architecture. John Wiley and Sons. pp. 1238–1239. ISBN978-0-470-34343-2. Retrieved May 3, 2011.
  15. ^linux/init/main.c, LXR Cross Referencer
  16. ^'Linux Device Drivers, Chapter 4'(PDF).
  17. ^James Kirkland; David Carmichael; Christopher L. Tinker; Gregory L. Tinker (May 2006). Linux Troubleshooting for System Administrators and Power Users. Prentice Hall. p. 62. ISBN9780132797399. Retrieved February 5, 2016.
  18. ^'OS X: About kernel panics - Apple Support'. support.apple.com.
  19. ^'A New Screen of Death for Mac OS X'. OSXBook.com.
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Kernel_panic&oldid=1008578286'
-->

Applies to:

Why attack surface reduction rules are important

Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!

Attack surface reduction rules target certain software behaviors, such as:

  • Launching executable files and scripts that attempt to download or run files;
  • Running obfuscated or otherwise suspicious scripts; and
  • Performing behaviors that apps don't usually initiate during normal day-to-day work.

Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.

For more information about configuring attack surface reduction rules, see Enable attack surface reduction rules.

Assess rule impact before deployment

You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in threat and vulnerability management.

In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.

Audit mode for evaluation

Use audit mode to evaluate how attack surface reduction rules would affect your organization if they were enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without reducing productivity.

Warn mode for users

(NEW!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.

Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.

Requirements for warn mode to work

Warn mode is supported on devices running the following versions of Windows:

  • Windows 10, version 1809 or later
  • Windows Server, version 1809 or later

Microsoft Defender Antivirus must be running with real-time protection in Active mode.

In addition, make sure Microsoft Defender Antivirus and antimalware updates are installed.

Attack
  • Minimum platform release requirement: 4.18.2008.9
  • Minimum engine release requirement: 1.1.17400.5

For more information and to get your updates, see Update for Microsoft Defender antimalware platform.

Cases where warn mode is not supported

Warn mode is not supported for three attack surface reduction rules when you configure them in Microsoft Endpoint Manager. (If you use Group Policy to configure your attack surface reduction rules, warn mode is supported.) The three rules that do not support warn mode when you configure them in Microsoft Endpoint Manager are as follows:

  • Block JavaScript or VBScript from launching downloaded executable content (GUID d3e037e1-3eb8-44c8-a917-57927947596d)
  • Block persistence through WMI event subscription (GUID e6db77e5-3df2-4cf1-b95a-636979351e5b)
  • Use advanced protection against ransomware (GUID c1db55ab-c21a-4637-bb3f-a12568109d35)

In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.

Notifications and alerts

Attack Mac Os X

Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can customize the notification with your company details and contact information.

In addition, when certain attack surface reduction rules are triggered, alerts are generated.

Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center (https://securitycenter.windows.com) and in the Microsoft 365 security center (https://security.microsoft.com).

Advanced hunting and attack surface reduction events

You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour.

Attack

For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM.

For more information about advanced hunting, see Proactively hunt for threats with advanced hunting.

Attack surface reduction features across Windows versions

You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:

  • Windows 10 Pro, version 1709 or later
  • Windows 10 Enterprise, version 1709 or later
  • Windows Server, version 1803 (Semi-Annual Channel) or later

Although attack surface reduction rules don't require a Windows E5 license, if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in Defender for Endpoint, as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.

Review attack surface reduction events in the Microsoft Defender Security Center

Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios.

You can query Defender for Endpoint data by using advanced hunting. If you're running audit mode, you can use advanced hunting to understand how attack surface reduction rules could affect your environment.

Here is an example query:

Review attack surface reduction events in Windows Event Viewer

You can review the Windows event log to view events generated by attack surface reduction rules:

  1. Download the Evaluation Package and extract the file cfa-events.xml to an easily accessible location on the device.
  2. Enter the words, Event Viewer, into the Start menu to open the Windows Event Viewer.
  3. Under Actions, select Import custom view....
  4. Select the file cfa-events.xml from where it was extracted. Alternatively, copy the XML directly.
  5. Select OK.

You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:

Event IDDescription
5007Event when settings are changed
1121Event when rule fires in Block-mode
1122Event when rule fires in Audit-mode

The 'engine version' listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.

Attack surface reduction rules

The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name.

If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs.

Rule nameGUIDFile & folder exclusionsMinimum OS supported
Block Adobe Reader from creating child processes7674ba52-37eb-4a4f-a9a1-f0f9a1619a2cSupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block all Office applications from creating child processesD4F940AB-401B-4EFC-AADC-AD5F3C50688ASupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block credential stealing from the Windows local security authority subsystem (lsass.exe)9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block executable content from email client and webmailBE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block executable files from running unless they meet a prevalence, age, or trusted list criterion01443614-cd74-433a-b99e-2ecdc07bfc25SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block execution of potentially obfuscated scripts5BEB7EFE-FD9A-4556-801D-275E5FFC04CCSupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block JavaScript or VBScript from launching downloaded executable contentD3E037E1-3EB8-44C8-A917-57927947596DSupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block Office applications from creating executable content3B576869-A4EC-4529-8536-B80A7769E899SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block Office applications from injecting code into other processes75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block Office communication application from creating child processes26190899-1602-49e8-8b27-eb1d0a1ce869SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block persistence through WMI event subscriptione6db77e5-3df2-4cf1-b95a-636979351e5bNot supportedWindows 10, version 1903 (build 18362) or greater
Block process creations originating from PSExec and WMI commandsd1e49aac-8f56-4280-b9ba-993a6d77406cSupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block untrusted and unsigned processes that run from USBb2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4SupportedWindows 10, version 1709 (RS3, build 16299) or greater
Block Win32 API calls from Office macros92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7BSupportedWindows 10, version 1709 (RS3, build 16299) or greater
Use advanced protection against ransomwarec1db55ab-c21a-4637-bb3f-a12568109d35SupportedWindows 10, version 1709 (RS3, build 16299) or greater

Block Adobe Reader from creating child processes

This rule prevents attacks by blocking Adobe Reader from creating processes.

Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.

This rule was introduced in:

Intune name: Process creation from Adobe Reader (beta)

Configuration Manager name: Not yet available

GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Block all Office applications from creating child processes

This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.

Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.

This rule was introduced in:

Intune name: Office apps launching child processes

Configuration Manager name: Block Office application from creating child processes

GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Block credential stealing from the Windows local security authority subsystem

This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).

LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.

Note

In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.

This rule was introduced in:

Intune name: Flag credential stealing from the Windows local security authority subsystem

Configuration Manager name: Block credential stealing from the Windows local security authority subsystem

GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

Block executable content from email client and webmail

This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:

  • Executable files (such as .exe, .dll, or .scr)
  • Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)

This rule was introduced in:

Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)

Microsoft Endpoint Manager name: Block executable content from email client and webmail

GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

Note

The rule Block executable content from email client and webmail has the following alternative descriptions, depending on which application you use:

  • Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions).
  • Endpoint Manager: Block executable content download from email and webmail clients.
  • Group Policy: Block executable content from email client and webmail.

Block executable files from running unless they meet a prevalence, age, or trusted list criterion

This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:

  • Executable files (such as .exe, .dll, or .scr)

Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.

Important

You must enable cloud-delivered protection to use this rule.

The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.

You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.

This rule was introduced in:

Intune name: Executables that don't meet a prevalence, age, or trusted list criteria

Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria

GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25

Block execution of potentially obfuscated scripts

This rule detects suspicious properties within an obfuscated script.

Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.

This rule was introduced in:

Intune name: Obfuscated js/vbs/ps/macro code

Configuration Manager name: Block execution of potentially obfuscated scripts

GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

Block JavaScript or VBScript from launching downloaded executable content

This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.

Although not common, line-of-business applications sometimes use scripts to download and launch installers.

This rule was introduced in:

Intune name: js/vbs executing payload downloaded from Internet (no exceptions)

Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content

GUID: D3E037E1-3EB8-44C8-A917-57927947596D

Block Office applications from creating executable content

This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.

Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.

This rule was introduced in:

  • System Center Configuration Manager (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)

Intune name: Office apps/macros creating executable content

SCCM name: Block Office applications from creating executable content

GUID: 3B576869-A4EC-4529-8536-B80A7769E899

Block Office applications from injecting code into other processes

This rule blocks code injection attempts from Office apps into other processes.

Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.

There are no known legitimate business purposes for using code injection.

This rule applies to Word, Excel, and PowerPoint.

This rule was introduced in:

Intune name: Office apps injecting code into other processes (no exceptions)

Configuration Manager name: Block Office applications from injecting code into other processes

GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

Block Office communication application from creating child processes

This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.

Attack Mac Os Download

This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against Outlook rules and forms exploits that attackers can use when a user's credentials are compromised.

Note

This rule applies to Outlook and Outlook.com only.

This rule was introduced in:

Intune name: Process creation from Office communication products (beta)

Configuration Manager name: Not available

GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869

Block persistence through WMI event subscription

This rule prevents malware from abusing WMI to attain persistence on a device.

Important

File and folder exclusions don't apply to this attack surface reduction rule.

Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.

This rule was introduced in:

Intune name: Not available

Configuration Manager name: Not available

GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b

Block process creations originating from PSExec and WMI commands

This rule blocks processes created through PsExec and WMI from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.

Warning

Only use this rule if you're managing your devices with Intune or another MDM solution. This rule is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.

This rule was introduced in:

Intune name: Process creation from PSExec and WMI commands

Configuration Manager name: Not applicable

GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c

Block untrusted and unsigned processes that run from USB

With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)

This rule was introduced in:

Intune name: Untrusted and unsigned processes that run from USB

Configuration Manager name: Block untrusted and unsigned processes that run from USB

GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

Block Win32 API calls from Office macros

This rule prevents VBA macros from calling Win32 APIs.

Office VBA enables Win32 API calls. Malware can abuse this capability, such as calling Win32 APIs to launch malicious shellcode without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.

This rule was introduced in:

Intune name: Win32 imports from Office macro code

Configuration Manager name: Block Win32 API calls from Office macros

GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

Use advanced protection against ransomware

This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule does not block files that have one or more of the following characteristics:

  • The file has already been found to be unharmful in the Microsoft cloud.
  • The file is a valid signed file.
  • The file is prevalent enough to not be considered as ransomware.

The rule tends to err on the side of caution to prevent ransomware.

Note

You must enable cloud-delivered protection to use this rule.

This rule was introduced in:

Intune name: Advanced ransomware protection

Configuration Manager name: Use advanced protection against ransomware

GUID: c1db55ab-c21a-4637-bb3f-a12568109d35

See also