Exploit Guard
Exploit Guard is a built-in security feature in Windows 10 and 11 that helps protect against various types of cyberattacks and malware. It provides a set of intrusion prevention capabilities designed to lock down the device against attack vectors and block common malware behaviors. It balances the needs of security and productivity, offering several configurable options to tailor protection levels.
Key components of Exploit Guard:
Attack Surface Reduction (ASR):
A collection of controls to prevent malware from getting onto a system by blocking threats from Office files, scripts, and emails. It can be configured to block or audit specific file types and activities.
Network Protection:
Protects endpoints against web-based threats by blocking outbound traffic to untrusted hosts and IP addresses. It leverages Windows Defender SmartScreen to identify and block malicious websites.
Controlled Folder Access:
Protects sensitive data from ransomware by preventing unauthorized processes from accessing protected folders. Users can specify which folders to protect and which applications are allowed to access them.
Exploit Protection:
Mitigates the exploitation of system processes and applications. It uses various techniques like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Force ASLR to make it harder for attackers to execute malicious code.
How it works:
Exploit Guard proactively monitors system and application behavior for suspicious activities.
It uses a combination of rules, signatures, and heuristics to detect and block potential attacks.
Administrators can customize protection settings using Group Policy or Microsoft Endpoint Manager.
Benefits:
Enhanced security: Helps protect against a wide range of threats, including zero-day exploits and ransomware.
Improved productivity: Allows for flexibility in tailoring protection levels to balance security and productivity needs.
Integrated with Windows Security: Seamlessly integrates with the Windows Security app for easy management and monitoring.
Overall, Exploit Guard is a valuable tool for enhancing the security of Windows systems. Its various components work together to provide a layered defense against malware and exploits. It offers flexibility and customization options, allowing administrators to tailor protection levels to the specific needs of their organization.
Attack Surface Reduction (ASR)
Attack Surface Reduction (ASR) is a set of security features within Microsoft Defender for Endpoint that aims to minimize the avenues through which threats can enter a system or network. By blocking specific behaviors commonly exploited by malware, ASR enhances an organization's overall security posture.
Key Principles:
Behavior-based Protection: ASR focuses on blocking activities often associated with malware, such as executing files from untrusted locations or creating suspicious processes.
Configurable Rules: ASR offers a range of pre-defined rules that administrators can enable or disable, allowing customization based on their specific environment and risk tolerance.
Layered Security: ASR complements other security measures like antivirus and firewall, providing an additional layer of protection against evolving threats.
How it Works:
Rule Selection: Administrators choose from various ASR rules based on their organization's needs.
Behavior Monitoring: ASR continuously monitors system activities for actions matching configured rules.
Blocking or Auditing: When a match occurs, ASR can either block the activity entirely or log it for further analysis (audit mode).
Notifications: ASR can be configured to send notifications to administrators when suspicious activities are detected or blocked.
Benefits:
Prevention of Common Attacks: ASR effectively thwarts numerous malware infection vectors, including malicious Office macros, script-based attacks, and email-borne threats.
Protection Against Zero-Day Exploits: By targeting generic malicious behaviors rather than specific malware signatures, ASR can protect against previously unknown threats.
Reduced Risk of Ransomware: ASR can prevent ransomware from encrypting files by blocking common techniques used for lateral movement and file modification.
Enhanced Incident Visibility: ASR provides valuable insights into potential attack attempts, aiding incident investigation and response.
Limitations:
Potential for False Positives: Some legitimate applications might exhibit behaviors targeted by ASR rules, leading to occasional disruptions.
Requires Careful Configuration: To avoid hindering productivity, administrators must thoroughly test and adjust ASR rules to suit their environment.
Network Protection
Network Protection, a component of Windows Defender Exploit Guard, provides an additional layer of security by preventing devices from connecting to known malicious hosts and IP addresses on the internet. It leverages threat intelligence from Microsoft Defender SmartScreen to identify and block potentially harmful connections, thus reducing the attack surface and protecting against web-based threats.
How it Works:
Threat Intelligence: Network Protection taps into the vast database of Microsoft Defender SmartScreen, which continuously monitors websites and downloads for malicious activity.
Real-Time Protection: When a user attempts to access a potentially harmful website or download a malicious file, Network Protection compares the destination against the SmartScreen database.
Blocking or Warning: If the destination is flagged as malicious, Network Protection can either block the connection entirely or display a warning to the user, depending on the configuration.
Reporting: Administrators can monitor blocked connections and review reports to identify potential threats and adjust network protection settings as needed.
Benefits:
Protection Against Web-Based Threats: Network Protection helps shield against phishing attacks, malware downloads, and other threats originating from the internet.
Prevention of Data Exfiltration: It can block attempts to send sensitive data to malicious servers.
Reduced Risk of Drive-by Downloads: Network Protection helps prevent unintentional downloads of malware that can occur when visiting compromised websites.
Enhanced Incident Visibility: By logging blocked connections, it provides valuable insights into potential attack attempts.
Configuration Options:
Block or Warn: Administrators can choose whether to block connections to known malicious destinations or simply display a warning to the user.
Custom Block Lists: Administrators can create custom lists of websites and IP addresses to be blocked, in addition to those identified by SmartScreen.
Exclusions: Certain websites or IP addresses can be excluded from Network Protection if necessary.
Limitations:
Relies on Threat Intelligence: The effectiveness of Network Protection depends on the accuracy and up-to-date nature of the threat intelligence used by SmartScreen.
Cannot Block All Threats: While effective against known threats, it may not be able to detect and block all new or emerging threats.
Controlled Folder Access (CFA)
Controlled Folder Access (CFA) is a security feature within Microsoft Defender Exploit Guard designed to protect sensitive data from unauthorized access and modification, particularly by ransomware and other malicious software. It acts as a shield for your valuable files and folders, preventing unknown or untrusted applications from making changes to them.
How it Works:
Protected Folders: CFA monitors a set of pre-defined folders that typically contain important data, such as Documents, Pictures, Videos, Desktop, and Favorites. Administrators can also add custom folders to the protected list.
Allowed Apps: CFA maintains a list of trusted applications that are allowed to access and modify files within the protected folders. These are usually well-known and reputable programs.
Blocking Unauthorized Access: When an application that is not on the allowed list attempts to modify a file in a protected folder, CFA blocks the action. This prevents ransomware and other malicious software from encrypting or deleting your files.
Notifications: CFA provides notifications when an unauthorized access attempt is blocked, giving you visibility into potential threats.
Benefits:
Protection Against Ransomware: CFA is highly effective in preventing ransomware attacks, as it stops malicious software from encrypting your files.
Prevention of Unauthorized Changes: CFA ensures that only trusted applications can modify files in protected folders, preventing accidental or malicious changes by other programs.
Enhanced Security for Sensitive Data: CFA adds an extra layer of protection for your most valuable data, giving you peace of mind.
Easy to Configure and Manage: CFA is integrated into Windows Security, making it easy to enable, disable, and configure.
Limitations:
Potential for False Positives: CFA may sometimes block legitimate applications from accessing protected folders. In such cases, you can add the application to the allowed list.
Limited Protection Scope: CFA only protects folders that are explicitly added to the protected list. It does not protect files or folders outside of these designated areas.
Exploit Protection (EP)
Exploit Protection (EP) is a crucial component of Microsoft Defender Exploit Guard that provides an additional layer of security by mitigating the risk of software vulnerabilities being exploited. It functions as a built-in Intrusion Prevention System (IPS) in Windows 10 and 11, offering a range of exploit mitigation techniques to harden applications and system processes against common attack vectors.
Key Features:
System-level Mitigations: EP applies security measures across the entire operating system to deter widespread exploitation techniques.
Application-specific Mitigations: EP allows customization of mitigations for individual applications, tailoring protection to their specific vulnerabilities.
Import/Export Configuration: EP configurations can be easily exported as XML files, simplifying deployment across multiple devices.
Integration with Audit Mode: EP can be configured in audit mode to assess the impact of mitigations on application compatibility before enforcement.
How it Works:
Mitigation Selection: Administrators choose from various exploit mitigation techniques like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), Control Flow Guard (CFG), and more.
Rule Configuration: Mitigations can be configured for specific applications or system-wide, depending on the desired level of protection.
Real-time Monitoring: EP continuously monitors the behavior of applications and processes for signs of exploitation attempts.
Mitigation Enforcement: When a potential exploit is detected, EP enforces the configured mitigations to block the attack.
Benefits:
Protection Against Zero-Day Exploits: EP helps protect against previously unknown vulnerabilities by focusing on generic exploitation techniques.
Enhanced Application Security: EP significantly strengthens the security of applications and system processes, making them more resistant to compromise.
Reduced Risk of Malware Infection: By blocking common exploitation paths, EP helps prevent malware from gaining a foothold on the system.
Improved Incident Visibility: EP provides detailed logs of blocked exploitation attempts, aiding in incident investigation and response.
Limitations:
Potential for Compatibility Issues: Some older or poorly designed applications might not function correctly with certain mitigations enabled.
Not a Substitute for Patching: EP should not be considered a replacement for timely software updates and patching, which are essential for addressing known vulnerabilities.
Attack Surface Reduction (ASR) Rules
"Block abuse of exploited vulnerable signed drivers"
The Attack Surface Reduction (ASR) rule is designed to prevent a specific type of cyberattack where malicious actors exploit vulnerabilities in legitimate, digitally signed drivers to gain unauthorized access to a system.
Driver Verification: The rule actively monitors attempts to load kernel drivers into the system. It scrutinizes the digital signature of each driver to ensure its authenticity and integrity.
Vulnerability Detection: The rule cross-references the driver against a database of known vulnerable signed drivers. This database is maintained and updated by Microsoft to include drivers that have been identified as potential attack vectors.
Blocking Malicious Drivers: If a driver is found to be both vulnerable and signed, the rule immediately blocks its loading into the system. This prevents the attacker from exploiting the driver's vulnerabilities to escalate privileges, inject malicious code, or perform other harmful actions.
Logging and Reporting: The rule logs all blocked attempts to load vulnerable signed drivers. This information can be used by security teams to identify potential threats, investigate incidents, and improve their overall security posture.
"Block Adobe Reader from creating child processes"
The Attack Surface Reduction (ASR) rule is designed to mitigate a specific attack vector where malicious actors exploit vulnerabilities in Adobe Reader to execute malicious code.
Process Monitoring: The rule continuously monitors the behavior of Adobe Reader when it is running on the system. It specifically focuses on any attempts by Adobe Reader to create child processes.
Child Process Creation: In normal operation, Adobe Reader might create child processes for various legitimate reasons, such as rendering PDF documents, managing plugins, or handling updates. However, attackers can also leverage this functionality to launch malicious code disguised as a child process.
Rule Enforcement: When Adobe Reader attempts to create a child process, the ASR rule immediately intervenes. Depending on the configured action (block or audit), the rule either terminates the child process creation or logs the event for further analysis.
Protection Against Exploits: By preventing Adobe Reader from spawning child processes, the rule effectively blocks a wide range of exploits that rely on this mechanism. This includes exploits that inject malicious code into other processes, download additional malware, or execute arbitrary commands.
Logging and Reporting: When the rule is configured in audit mode, it logs all attempts by Adobe Reader to create child processes. This information can be used by security teams to assess the impact of the rule on legitimate workflows, identify potential threats, and fine-tune their security configurations.
"Block all Office applications from creating child processes"
The Attack Surface Reduction (ASR) rule is a security measure designed to prevent a broad range of attacks that leverage Microsoft Office applications to execute malicious code.
Process Monitoring: The rule actively monitors all running Microsoft Office applications, including Word, Excel, PowerPoint, Outlook, and others. It specifically focuses on any attempts by these applications to create child processes.
Child Process Creation: In normal operation, Office applications might create child processes for various legitimate reasons, such as rendering documents, executing macros, or interacting with external components. However, attackers can also misuse this functionality to launch malicious code disguised as a child process.
Rule Enforcement: When an Office application attempts to create a child process, the ASR rule immediately intervenes. Depending on the configured action (block or audit), the rule either terminates the child process creation entirely or logs the event for further analysis.
Protection Against Exploits: By preventing Office applications from spawning child processes, the rule effectively blocks a wide range of exploits that rely on this mechanism. This includes exploits that:
Inject malicious code into other processes
Download and execute additional malware
Exploit vulnerabilities in Office components or plugins
Bypass security measures by running code in a separate process
Logging and Reporting: When the rule is configured in audit mode, it logs all attempts by Office applications to create child processes. This information can be used by security teams to assess the impact of the rule on legitimate workflows, identify potential threats, and fine-tune their security configurations.
"Block credential stealing from the Windows local security authority subsystem (lsass.exe)"
The Attack Surface Reduction (ASR) rule is a critical security feature designed to protect sensitive user credentials and prevent unauthorized access. It specifically targets a common attack vector where malicious actors attempt to steal credentials by directly accessing the lsass.exe process memory.
LSASS Protection: The Local Security Authority Subsystem Service (LSASS) is a crucial Windows process responsible for managing authentication and authorization. It stores sensitive user credentials in its memory, making it a prime target for attackers.
Process Access Monitoring: The ASR rule continuously monitors attempts to access the lsass.exe process memory. It specifically looks for suspicious behavior that might indicate a credential theft attempt.
OpenProcess Restriction: The rule focuses on a specific Windows API function called OpenProcess, which is often used by malicious software to gain access to the lsass.exe process memory. When a process tries to use OpenProcess with the intent to read the lsass.exe memory, the rule intervenes.
Blocking Unauthorized Access: If the requesting process is not deemed trustworthy, the ASR rule blocks its attempt to access the lsass.exe memory. This prevents attackers from extracting sensitive credentials, such as usernames, passwords, or hash values.
Protection Against Credential Dumping Tools: Many credential theft attacks involve using specialized tools that dump the contents of the lsass.exe memory. By blocking direct access to lsass.exe, this rule effectively mitigates the effectiveness of such tools.
Logging and Reporting: When the rule is configured in audit mode, it logs all attempts to access the lsass.exe memory. This information can be used by security teams to identify potential threats, investigate incidents, and fine-tune their security configurations.
"Block executable content from email client and webmail"
The Attack Surface Reduction (ASR) rule is a security measure designed to prevent a common attack vector where malicious actors send executable files disguised as attachments or links in emails. This rule specifically targets email clients like Microsoft Outlook and webmail services like Gmail or Yahoo Mail.
File Type Detection: The rule actively monitors emails received through email clients and webmail for attachments or links that contain executable content. It focuses on common executable file types like .exe, .dll, .bat, .cmd, .js, .vbs, .ps1, and others.
Content Analysis: In addition to file type detection, the rule might also employ content analysis techniques to identify potentially malicious files, even if they have non-executable extensions or are embedded within other file types.
Blocking or Auditing: When an email is found to contain executable content, the rule takes action based on its configuration. In block mode, it prevents the user from opening, running, or downloading the executable file. In audit mode, it logs the event for further analysis but does not block the file.
Protection Against Malicious Attachments: This rule is particularly effective against phishing emails that contain malicious attachments disguised as invoices, resumes, or other seemingly harmless files. By preventing the execution of these attachments, the rule significantly reduces the risk of malware infection.
Prevention of Drive-by Downloads: The rule also helps prevent drive-by downloads, where simply visiting a website or clicking on a link in an email can trigger the download and execution of malicious code.
Logging and Reporting: When the rule is configured in audit mode, it logs all instances where executable content is detected in emails. This information can be used by security teams to assess the effectiveness of the rule, identify potential threats, and fine-tune their security configurations.
"Block executable files from running unless they meet a prevalence, age, or trusted list criterion"
The Attack Surface Reduction (ASR) rule is designed to prevent the execution of potentially harmful executable files based on their reputation and trust level. It leverages Microsoft Defender's cloud-based intelligence to assess the safety of files before allowing them to run.
File Execution Monitoring: The rule actively monitors attempts to execute executable files on the system. This includes files with extensions like .exe, .dll, .bat, .cmd, .ps1, and others.
Reputation Check: When an executable file is about to be run, the rule performs a real-time check against Microsoft Defender's cloud protection service. This service maintains a vast database of file reputation information based on various factors, including:
Prevalence: How widespread the file is across different systems and environments.
Age: How long the file has been in circulation.
Trusted List Inclusion: Whether the file is included in a list of trusted applications maintained by Microsoft or the organization.
Evaluation of Trust Level: Based on the reputation check, the rule determines whether the executable file is considered trustworthy. The following criteria are used:
High Prevalence: Files that are commonly used and found on many systems are generally considered safe.
Older Age: Files that have been around for a while without causing harm are more likely to be legitimate.
Trusted List Inclusion: Files explicitly listed as trusted by Microsoft or the organization are allowed to run.
Blocking or Allowing Execution: If the executable file meets the trust criteria, it is allowed to run normally. However, if the file is deemed untrustworthy (low prevalence, recent creation, or not on the trusted list), the rule blocks its execution.
User Notifications (Optional): Depending on the configuration, the rule can notify the user when an executable file is blocked, explaining the reason and providing options to override the block if necessary.
"Block execution of potentially obfuscated scripts"
The Attack Surface Reduction (ASR) rule is a security measure designed to prevent the execution of scripts that have been intentionally obscured to evade detection by traditional security tools.
Script Execution Monitoring: The rule actively monitors attempts to execute scripts on the system, regardless of the scripting language used (e.g., PowerShell, JavaScript, VBScript). It specifically focuses on scripts that exhibit characteristics of obfuscation.
Obfuscation Detection: Obfuscation refers to techniques used to make code difficult to read and understand. This can include:
Encoding: Transforming characters into a different format.
Encryption: Scrambling the code to make it unreadable without a decryption key.
Packing: Compressing the code to reduce its size and complexity.
Randomization: Renaming variables, functions, or strings to make them less recognizable.
Heuristic Analysis: The rule employs various heuristic techniques to detect obfuscation. This can include analyzing the script's structure, complexity, entropy (randomness), and the presence of known obfuscation patterns.
Blocking or Auditing: When a script is identified as potentially obfuscated, the rule takes action based on its configuration. In block mode, it prevents the script from executing. In audit mode, it logs the event for further analysis but does not block the script.
Antimalware Scan Interface (AMSI) Integration: The rule often leverages the AMSI, a Windows interface that allows security products to scan the content of scripts before execution. This enables the rule to detect obfuscation even if the script is initially encoded or encrypted.
"Block JavaScript or VBScript from launching downloaded executable content"
The Attack Surface Reduction (ASR) rule is a security measure designed to prevent a specific type of attack where malicious actors use scripts to download and execute malware on a system.
Script Execution Monitoring: The rule actively monitors the execution of JavaScript or VBScript files on the system. These scripting languages are often used in web browsers, email clients, and other applications.
Download Detection: The rule specifically focuses on scripts that attempt to download files from the internet. It analyzes the script's code to identify any commands or functions that initiate downloads.
Executable File Identification: After a download is initiated, the rule analyzes the downloaded file to determine if it is an executable file. This includes files with common executable extensions like .exe, .dll, .bat, .cmd, .ps1, and others.
Blocking or Auditing: If a script attempts to download and launch an executable file, the rule takes action based on its configuration. In block mode, it prevents the executable file from running. In audit mode, it logs the event for further analysis but does not block the file.
Protection Against Malicious Scripts: This rule is particularly effective against scripts that are embedded in websites or attached to emails. These scripts might appear harmless, but they can silently download and execute malware without the user's knowledge.
Mitigation of Drive-by Downloads: The rule also helps prevent drive-by downloads, where simply visiting a website or clicking on a link can trigger the download and execution of malicious code.
Logging and Reporting: When the rule is configured in audit mode, it logs all instances where scripts attempt to download and launch executable files. This information can be used by security teams to assess the effectiveness of the rule, identify potential threats, and fine-tune their security configurations.
"Block Office applications from creating executable content"
The Attack Surface Reduction (ASR) rule is a security measure designed to prevent Microsoft Office applications (such as Word, Excel, and PowerPoint) from generating executable files on a system. This proactive approach aims to mitigate the risk of malicious code execution through a common attack vector.
Process Monitoring: The rule actively monitors all running Microsoft Office applications and scrutinizes their behaviors for any attempts to create executable files.
Executable Content Creation: In typical usage, Office applications do not create executable files. However, certain features, such as macros or embedded objects, can potentially be exploited to generate executable content.
Rule Enforcement: If an Office application attempts to create an executable file, the ASR rule immediately intervenes. Depending on the configured action (block or audit), the rule either prevents the file from being created or logs the event for further analysis. The rule identifies executable files by their extensions, such as .exe, .dll, .bat, .cmd, .ps1, etc.
Protection Against Malicious Payloads: This rule is particularly effective against documents containing embedded malicious code or macros designed to download and execute malware. By preventing the creation of executable files, the rule significantly reduces the risk of malware infections.
Mitigation of Zero-Day Exploits: The rule is not dependent on specific signatures or patterns of known malware. Instead, it focuses on the generic behavior of creating executable content, making it effective against zero-day vulnerabilities that may be used to generate malicious files.
Logging and Reporting: When the rule is configured in audit mode, it logs all instances where Office applications attempt to create executable content. This data is invaluable for security teams to assess the rule's impact on legitimate workflows, identify potential threats, and fine-tune their security policies.
"Block Office applications from injecting code into other processes"
The Attack Surface Reduction (ASR) rule is a security mechanism designed to thwart a specific attack technique commonly used by malicious actors. This technique involves exploiting vulnerabilities in Microsoft Office applications to inject malicious code into other running processes. The goal of such attacks is to bypass security measures, escalate privileges, or maintain persistence on a compromised system.
Process Injection Monitoring: The ASR rule actively monitors all running Microsoft Office applications, including Word, Excel, PowerPoint, and Outlook. It specifically looks for any attempts by these applications to inject code into other processes.
Code Injection Techniques: There are several ways an attacker might inject code into a process:
DLL Injection: A malicious DLL is loaded into the target process's address space.
Process Hollowing: The legitimate code of a process is replaced with malicious code.
Thread Execution Hijacking: The execution flow of a thread within a process is altered to execute malicious code.
Remote Thread Creation: A new thread is created in the target process to execute malicious code.
Rule Enforcement: When an Office application attempts to inject code into another process, the ASR rule immediately intervenes. Depending on the configured action (block or audit), the rule either terminates the code injection attempt or logs the event for further analysis.
Protection Against Malicious Code Execution: By preventing code injection, the rule effectively stops malicious code from running within other processes. This protects the system from various threats, such as malware, ransomware, and unauthorized access.
Mitigation of Zero-Day Exploits: The rule is not dependent on specific signatures or patterns of known malware. Instead, it focuses on the generic behavior of code injection, making it effective against zero-day vulnerabilities that may be used to inject malicious code.
Logging and Reporting: When the rule is configured in audit mode, it logs all instances where Office applications attempt to inject code into other processes. This information is invaluable for security teams to assess the rule's impact on legitimate workflows, identify potential threats, and fine-tune their security policies.
"Block Office communication application from creating child processes"
The Attack Surface Reduction (ASR) rule is a security measure designed to prevent Microsoft Office communication applications (primarily Outlook and Teams) from creating child processes. This proactive approach aims to mitigate the risk of malicious code execution through a common attack vector.
Process Monitoring: The rule actively monitors Microsoft Outlook and Teams processes for any attempts to create child processes.
Child Process Creation: In their normal operation, Outlook and Teams may create child processes for various legitimate reasons, such as rendering email content, handling attachments, or managing communication sessions. However, attackers can exploit this functionality to launch malicious code disguised as a child process.
Rule Enforcement: When Outlook or Teams attempts to create a child process, the ASR rule immediately intervenes. Depending on the configured action (block or audit), the rule either terminates the child process creation entirely or logs the event for further analysis.
Protection Against Malicious Payloads: This rule is particularly effective against emails containing malicious attachments or links that, when clicked, attempt to exploit vulnerabilities in Outlook or Teams to execute malicious code. By preventing the creation of child processes, the rule significantly reduces the risk of malware infections.
Mitigation of Zero-Day Exploits: The rule is not dependent on specific signatures or patterns of known malware. Instead, it focuses on the generic behavior of child process creation, making it effective against zero-day vulnerabilities that may be used to inject malicious code.
Logging and Reporting: When the rule is configured in audit mode, it logs all instances where Office communication applications attempt to create child processes. This data is invaluable for security teams to assess the rule's impact on legitimate workflows, identify potential threats, and fine-tune their security policies.
"Block persistence through WMI event subscription"
The Attack Surface Reduction (ASR) rule is a security measure designed to prevent a specific type of attack where malicious actors use the Windows Management Instrumentation (WMI) event subscription mechanism to maintain persistent access to a system.
WMI Event Subscription Monitoring: WMI is a powerful Windows administration framework that allows for event-based actions. Attackers can misuse this feature by creating permanent WMI event subscriptions that trigger the execution of malicious code whenever specific events occur, such as system startup or user login.
Suspicious Subscription Detection: The ASR rule actively monitors the creation and modification of WMI event subscriptions. It looks for patterns and characteristics that indicate potentially malicious intent. This can include:
Subscriptions that trigger the execution of scripts or executables.
Subscriptions that are linked to unusual events or conditions.
Subscriptions created by unknown or untrusted processes.
Rule Enforcement: When a suspicious WMI event subscription is detected, the rule takes action based on its configuration. In block mode, it prevents the subscription from being created or modified. In audit mode, it logs the event for further analysis but does not block the subscription.
Protection Against Persistence: By preventing the creation or modification of malicious WMI event subscriptions, the rule effectively disrupts the attacker's ability to maintain a persistent presence on the system. This significantly reduces the risk of ongoing compromise and data exfiltration.
Logging and Reporting: When the rule is configured in audit mode, it logs all instances of suspicious WMI event subscriptions. This information can be used by security teams to assess the effectiveness of the rule, identify potential threats, and fine-tune their security configurations.
"Block process creations originating from PSExec and WMI commands"
The Attack Surface Reduction (ASR) rule is designed to prevent unauthorized remote code execution on a system. It specifically targets two common tools used for remote administration and lateral movement in a network: PSExec and WMI.
Process Creation Monitoring: The rule actively monitors attempts to create new processes on the system. It focuses on processes that are initiated through PSExec or WMI commands.
PSExec and WMI Detection: PSExec is a lightweight telnet-replacement that allows for remote command execution on other systems. WMI (Windows Management Instrumentation) is a Windows administration feature that can also be used for remote execution. The rule analyzes the process creation events to determine if they originated from PSExec or WMI commands.
Blocking Unauthorized Execution: When a process creation attempt is identified as originating from PSExec or WMI, the rule intervenes. It blocks the execution of the process, preventing the potential execution of unauthorized or malicious code.
Protection Against Lateral Movement: This rule is particularly effective against attackers who use PSExec or WMI to move laterally within a network after gaining initial access to a system. By blocking these tools, the rule hinders the attacker's ability to spread within the network and compromise additional systems.
Logging and Reporting: When the rule is configured in audit mode, it logs all instances of process creation attempts originating from PSExec or WMI. This information can be used by security teams to assess the rule's impact on legitimate administrative tasks, identify potential threats, and fine-tune their security configurations.
"Block rebooting machine in Safe Mode"
The Attack Surface Reduction (ASR) rule is a security measure designed to prevent malicious actors from exploiting Safe Mode to bypass security software and gain unauthorized access to a system.
Safe Mode Monitoring: The rule actively monitors attempts to reboot the machine into Safe Mode. Safe Mode is a diagnostic mode that starts Windows with a limited set of drivers and services, often disabling security software and other protections.
Command Detection: The rule focuses on detecting specific commands and actions that initiate a reboot into Safe Mode. This includes commands executed through the Command Prompt, PowerShell, or other system tools.
Rule Enforcement: When a reboot into Safe Mode is initiated, the rule takes action based on its configuration. In block mode, it prevents the system from booting into Safe Mode, keeping the machine in normal mode with full security protections enabled. In audit mode, it logs the event for further analysis but does not prevent the reboot.
Protection Against Malicious Access: By preventing reboots into Safe Mode, the rule blocks a common tactic used by attackers to disable security software, tamper with system settings, or install malicious software.
Logging and Reporting: When the rule is configured in audit mode, it logs all attempts to reboot the machine into Safe Mode. This information can be used by security teams to assess the rule's impact on legitimate troubleshooting scenarios, identify potential threats, and fine-tune their security configurations.
"Block untrusted and unsigned processes that run from USB"
The Attack Surface Reduction (ASR) rule is designed to prevent the execution of potentially malicious executable files originating from USB removable drives, including SD cards. This rule aims to mitigate the risk of malware infections and unauthorized code execution via USB devices.
Process Origin Monitoring: The rule actively monitors processes that are initiated from USB drives. It specifically examines the properties of executable files attempting to run.
Trustworthiness Evaluation: The rule assesses the trustworthiness of executable files based on two primary criteria:
Signing: It checks if the file is digitally signed by a trusted publisher. Digital signatures are used to verify the authenticity and integrity of software, ensuring it hasn't been tampered with.
Reputation: It assesses the file's reputation based on its prevalence and known behavior. This is determined using Microsoft Defender's cloud protection service, which maintains a vast database of file reputation information.
Rule Enforcement: If an executable file from a USB drive is unsigned or has a low reputation score, the rule intervenes. Depending on the configured action (block or audit), it either prevents the file from running or logs the event for further analysis.
Protection Against Malicious Files: This rule effectively blocks the execution of various types of malicious files, including:
Executable files (.exe, .dll, etc.)
Scripts (.ps1, .vbs, .js, etc.)
Other potentially harmful file types (.scr, etc.)
Prevention of Unauthorized Code Execution: By blocking untrusted and unsigned processes, the rule prevents unauthorized code from running on the system. This can help mitigate the risk of malware infections, data breaches, and other security incidents.
Logging and Reporting: When the rule is configured in audit mode, it logs all instances where untrusted and unsigned processes attempt to run from USB drives. This information is crucial for security teams to assess the rule's impact on legitimate workflows, identify potential threats, and fine-tune their security policies.
"Block use of copied or impersonated system tools"
The Attack Surface Reduction (ASR) rule is a security feature designed to prevent malicious actors from utilizing a common tactic where they copy or disguise legitimate Windows system tools to evade detection and gain unauthorized access or privileges.
System Tool Identification: The rule maintains a list of known Windows system tools, such as cmd.exe, powershell.exe, wscript.exe, and others. It also leverages heuristics and machine learning algorithms to identify potential copies or impersonations of these tools based on their behavior, file properties, and digital signatures.
Real-time Monitoring: The rule continuously monitors the system for attempts to execute executable files that resemble or match known system tools. This includes monitoring process creation, file access, and other relevant activities.
Comparison and Analysis: When an executable file is identified as a potential copy or impersonation of a system tool, the rule performs a detailed analysis. It compares the file's characteristics with those of the genuine system tool, looking for discrepancies in file size, hash values, digital signatures, and other attributes.
Blocking or Auditing: If the analysis reveals that the executable file is likely a copy or impersonation of a system tool, the rule takes action based on its configuration. In block mode, it prevents the file from executing, effectively thwarting the attacker's attempt. In audit mode, it logs the event for further investigation but does not block the execution.
Protection Against Malicious Use: By preventing the execution of copied or impersonated system tools, the rule helps mitigate several types of attacks, including:
Living-off-the-Land Attacks: Where attackers use legitimate system tools for malicious purposes to avoid detection.
Privilege Escalation: Where attackers use modified system tools to gain elevated privileges on the system.
Lateral Movement: Where attackers use copied system tools to spread across a network and compromise other systems.
Logging and Reporting: When the rule is configured in audit mode, it logs all instances where copied or impersonated system tools are detected. This information is valuable for security teams to assess the rule's effectiveness, identify potential threats, and fine-tune their security configurations.
"Block Webshell creation for Servers"
The Attack Surface Reduction (ASR) rule is a security measure designed to protect servers from a specific type of attack involving the creation of webshells. Webshells are malicious scripts or programs uploaded to a web server that allow attackers to remotely control the server and execute commands.
File Creation Monitoring: The rule actively monitors file creation events on the server, particularly in web server directories and folders that are typically used to store web content (e.g., websites, web applications).
Webshell Pattern Detection: The rule utilizes various techniques to identify files that exhibit characteristics of webshells. This includes:
File Extensions: Webshells often have specific file extensions associated with web scripting languages (e.g., .asp, .aspx, .php, .jsp).
Content Analysis: The rule analyzes the content of newly created files for patterns commonly found in webshells, such as code that allows remote command execution, file uploads, or database access.
Behavior Analysis: The rule might also monitor the behavior of processes that create or modify files in web server directories, looking for suspicious activities that could indicate webshell creation.
Blocking or Auditing: When a file is identified as a potential webshell, the rule takes action based on its configuration. In block mode, it prevents the file from being created or modified, effectively preventing the webshell from being deployed. In audit mode, it logs the event for further analysis but does not block the file creation.
Protection Against Remote Control: By preventing the creation of webshells, the rule significantly reduces the risk of attackers gaining unauthorized remote control of the server. This protects against various malicious activities, such as:
Data theft
Website defacement
Denial of service attacks
Further malware deployment
Logging and Reporting: When the rule is configured in audit mode, it logs all instances of potential webshell creation. This information can be used by security teams to assess the rule's effectiveness, identify potential threats, and fine-tune their security configurations.
"Block Win32 API calls from Office macros"
The Attack Surface Reduction (ASR) rule is a security measure designed to prevent malicious code execution from within Microsoft Office documents. It specifically targets a common attack vector where threat actors embed malicious macros in Word, Excel, or PowerPoint files, and these macros attempt to leverage Win32 API calls for nefarious purposes.
Macro Execution Monitoring: When a user opens an Office document containing a macro, the ASR rule actively monitors the macro's execution within the Office application's sandboxed environment.
Win32 API Call Detection: The rule focuses on detecting any attempts by the macro to call functions from the Win32 API (Application Programming Interface). The Win32 API provides a wide range of functions for interacting with the Windows operating system, including file operations, network communication, and process manipulation.
Rule Enforcement: If the macro attempts to make a Win32 API call, the rule immediately intervenes. Depending on the configured action, the rule either:
Blocks: Prevents the Win32 API call from executing, effectively terminating the macro and preventing any potential malicious actions.
Audits: Allows the Win32 API call to proceed but logs the event for further analysis by security teams.
Protection Against Malicious Macros: By blocking or auditing Win32 API calls from Office macros, the rule effectively mitigates the risk of the following:
Malware Download: Macros that attempt to download and execute malware from the internet.
Process Injection: Macros that attempt to inject malicious code into other running processes.
Ransomware Execution: Macros that attempt to encrypt files or systems for ransom.
Data Exfiltration: Macros that try to steal sensitive information from the system.
Logging and Reporting: When the rule is configured in audit mode, it logs all instances where macros attempt to make Win32 API calls. This data is invaluable for security teams to assess the rule's effectiveness, identify potentially malicious documents, and fine-tune their security policies.
"Use advanced protection against ransomware"
The Attack Surface Reduction (ASR) rule is a multi-faceted security measure in Microsoft Defender for Endpoint designed to proactively protect systems from various ransomware attack vectors and behaviors. It combines several existing ASR rules and leverages cloud-based intelligence to provide comprehensive defense against this prevalent threat.
Controlled Folder Access: This core component of the rule enables Controlled Folder Access (CFA), which safeguards designated folders from unauthorized modifications by untrusted applications. It creates a protective barrier around critical data, preventing ransomware from encrypting or altering files in these locations.
Behavior Monitoring: The rule continuously monitors system activities for behaviors commonly associated with ransomware, such as:
Mass encryption of files
Modification of boot configuration data
Attempts to delete shadow copies (backup versions of files)
Suspicious process creation patterns
Unusual network activity
Cloud-Based Intelligence: The rule leverages Microsoft Defender's cloud protection service to access up-to-date threat intelligence and machine learning models. This allows it to detect and block even new and unknown ransomware variants based on their behavior rather than relying solely on signatures.
Real-Time Protection: When a behavior indicative of ransomware is detected, the rule takes immediate action to block the threat. This can include terminating malicious processes, preventing file encryption, or restoring affected files from shadow copies.
Integration with Other ASR Rules: The "Use advanced protection against ransomware" rule combines several other ASR rules, such as:
Block process creations originating from PSExec and WMI commands
Block untrusted and unsigned processes that run from USB
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Exploit Protection (EP)
Exploit Protection (EP) in Microsoft Defender for Endpoint offers a wide range of mitigation techniques to protect systems against various types of exploits. These techniques are divided into two categories: system-level mitigations and application-specific mitigations.
System-Level Mitigations:
Arbitrary Code Guard (ACG): Protects against code injection attacks by preventing the execution of arbitrary code in memory.
Block Remote Images: Prevents the loading of executable content from remote sources, mitigating the risk of downloading and executing malicious code.
Block Untrusted Fonts: Restricts the loading of untrusted fonts, which can be exploited to execute code due to parsing vulnerabilities.
Data Execution Prevention (DEP): Marks certain areas of memory as non-executable, preventing code injection attacks.
Export Address Filtering (EAF): Restricts the functions that can be exported from a DLL, making it harder for attackers to hijack legitimate functions.
Forced Address Space Layout Randomization (ASLR): Randomizes the location of code and data in memory, making it more difficult for attackers to predict memory addresses for exploitation.
Import Address Filtering (IAF): Validates imported functions to ensure they come from trusted modules.
Validate API Invocations (CallerCheck): Checks the integrity of return addresses to prevent stack corruption attacks.
Validate Exception Chains (SEHOP): Ensures the integrity of exception handling structures to prevent stack-based buffer overflow attacks.
Application-Specific Mitigations:
Control Flow Guard (CFG): Helps enforce control flow integrity by ensuring that indirect calls only reach valid destinations.
Use StrictHandleExceptions: Prevents handles from being closed if an exception occurs, potentially protecting against use-after-free vulnerabilities.
Terminate On Heap Corruption: Terminates a process if heap corruption is detected.
Simulate Execution (SimExec): Detects and prevents exploits that rely on manipulating the flow of execution by simulating code execution.
Additional Mitigations:
Block Low Integrity Images: Prevents the loading of executable content from low-integrity processes.
Block Non-Microsoft Signed Binaries: Blocks the execution of binaries that are not signed by Microsoft.
Audit Non-System Fonts: Logs events when non-system fonts are loaded.
Arbitrary Code Guard (ACG)
Arbitrary Code Guard (ACG) is a powerful exploit mitigation technique implemented within Exploit Protection (EP), a component of Microsoft Defender for Endpoint. ACG's primary function is to prevent the execution of arbitrary code in memory, thus hardening applications against code injection attacks commonly used by malware.
Memory Protection: ACG enforces strict memory permissions, ensuring that executable code can only originate from trusted sources. It prevents any attempt to dynamically allocate or modify memory regions as executable unless they are explicitly backed by a legitimate executable file (e.g., .exe, .dll).
Code Integrity Checks: Before executing any code, ACG verifies that it originates from a trusted and signed image file. This prevents attackers from injecting malicious code into a running process or modifying existing code to alter its behavior.
Prevention of Dynamic Code Generation: ACG also blocks the dynamic generation of executable code within a process. This includes techniques like just-in-time (JIT) compilation, which some applications use to optimize performance by converting code into native machine code at runtime. While JIT compilation can be legitimate, it can also be exploited by attackers to inject and execute malicious code.
Compatibility Considerations: ACG's strict memory protection can sometimes cause compatibility issues with applications that rely on dynamic code generation or modification. To address this, EP allows administrators to create exceptions for specific applications or processes that require such functionality.
Benefits:
Protection Against Code Injection Attacks: ACG effectively mitigates a wide range of code injection attacks, including those that exploit vulnerabilities in software or inject malicious code through compromised processes.
Enhanced Application Security: By preventing the execution of arbitrary code, ACG significantly strengthens the security of applications and system processes, making them more resistant to compromise.
Mitigation of Zero-Day Exploits: ACG can protect against zero-day vulnerabilities that exploit code injection techniques, as it focuses on preventing the execution of arbitrary code rather than relying on specific exploit signatures.
Limitations:
Potential Compatibility Issues: As mentioned earlier, ACG can cause problems with applications that require dynamic code generation or modification. Careful configuration and testing are essential to ensure that critical applications function correctly with ACG enabled.
Limited Scope: ACG primarily focuses on preventing code injection attacks. It does not address other types of exploits, such as those that target memory corruption vulnerabilities or logic flaws in software.
Block Remote Images
The Exploit Protection (EP) mitigation technique "Block Remote Images" is a security measure designed to prevent the loading of executable content from remote devices. This helps protect systems from attacks where malicious code is hosted on external devices or network shares and attempts to execute within the local system's memory.
Image Loading Monitoring: The mitigation constantly monitors attempts to load executable images (e.g., .exe, .dll files) into a process's memory space. It specifically focuses on images originating from remote locations, such as network shares, removable drives, or web servers.
Remote Image Detection: The mitigation determines whether an image is considered "remote" based on its source path. If the path points to a location outside the local system's file system, the image is flagged as remote.
Blocking Mechanism: When a remote image is detected, the mitigation prevents it from being loaded into memory. It achieves this by intercepting the system call that maps the image file into the process's address space, returning an error code (STATUS_ACCESS_DENIED) that prevents the image from executing.
Protection Against Remote Code Execution: By blocking remote images, the mitigation effectively thwarts a wide range of attacks that rely on executing code from external sources. This includes:
Remote Download and Execute: Malware that downloads malicious code from a remote server and attempts to run it on the victim's system.
Malicious USB Drives: Infected USB drives that contain malware that automatically executes when plugged into a system.
Network-Based Exploits: Attacks that exploit vulnerabilities in network services to inject and execute code remotely.
Compatibility Considerations: Blocking remote images can sometimes interfere with legitimate applications that load resources from remote locations. To address this, EP allows administrators to create exceptions for specific applications or processes that require this functionality.
Benefits:
Protection Against Remote Code Execution: This mitigation significantly reduces the risk of attacks that exploit vulnerabilities by executing code from remote sources.
Enhanced Security for Networked Environments: In environments where systems are connected to networks or frequently use removable drives, this mitigation provides an additional layer of protection against external threats.
Mitigation of Zero-Day Exploits: This mitigation can be effective against zero-day exploits that attempt to execute code from remote locations, as it focuses on blocking the execution method rather than relying on specific exploit signatures.
Limitations:
Not a Complete Solution: While this mitigation is effective against a specific type of attack, it does not protect against other potential threats, such as malicious code that is already present on the system or attacks that exploit vulnerabilities in applications without loading remote images.
Requires Careful Configuration: Blocking remote images can disrupt the functionality of some legitimate applications. Administrators must carefully configure exceptions to ensure that critical applications can still function correctly.
Block Untrusted Fonts
The Exploit Protection (EP) mitigation technique "Block Untrusted Fonts" is designed to enhance system security by preventing the loading and processing of untrusted font files. This mitigation is crucial because font parsing vulnerabilities have been historically exploited by malicious actors to execute arbitrary code on a system.
Font Loading Restriction: The technique restricts the Graphics Device Interface (GDI), a core Windows component responsible for rendering graphics and text, from loading any font files that are not located in the system's designated fonts directory (%windir%\Fonts).
Trust Verification: When an application attempts to load a font file, GDI verifies the file's location. If the font resides within the trusted system fonts directory, it is allowed to load. However, if the font is located elsewhere, such as in a user's downloads folder or a temporary directory, GDI refuses to load it.
Prevention of Font Parsing Vulnerabilities: By preventing the loading of untrusted fonts, this technique effectively mitigates the risk of exploiting vulnerabilities in font parsing libraries. These vulnerabilities could allow attackers to execute arbitrary code when a specially crafted font file is processed.
Protection Against Remote and Local Attacks: The mitigation protects against both remote attacks (e.g., font files embedded in websites or emails) and local attacks (e.g., font files manually installed by a user).
Compatibility Considerations: In some cases, legitimate applications might require loading fonts from non-standard locations. To address this, administrators can configure exceptions or whitelists to allow specific applications or directories to bypass the restriction.
Logging and Auditing: The "Block Untrusted Fonts" technique can be configured to log events whenever an attempt is made to load an untrusted font. This logging provides valuable security information, allowing administrators to monitor for potential threats and adjust their security policies accordingly.
Benefits:
Enhanced System Security: By preventing the exploitation of font parsing vulnerabilities, this technique significantly reduces the attack surface of the system.
Protection Against Zero-Day Exploits: Font parsing vulnerabilities can be exploited even before patches are available. This mitigation offers protection against such zero-day attacks.
Improved Resilience Against Malicious Documents: Many attacks involve embedding malicious fonts in documents or websites. This technique helps prevent such attacks by blocking the execution of untrusted font files.
Limitations:
Potential for False Positives: Legitimate applications might be affected if they require loading fonts from non-standard locations. Careful configuration is needed to minimize such disruptions.
Not a Complete Solution: While this technique effectively addresses a specific attack vector, it does not protect against other types of exploits or vulnerabilities. It should be used in conjunction with other security measures, such as antivirus software, firewalls, and regular software updates.
Data Execution Prevention (DEP)
Data Execution Prevention (DEP) is a security feature integrated into Windows operating systems that helps protect against malicious code execution by preventing code from running in memory regions that are specifically designated for data. It acts as a barrier between data and executable code, making it significantly more difficult for attackers to exploit vulnerabilities and inject malicious code into a system's memory.
Memory Separation: DEP divides a system's memory into two distinct types:
Non-executable: These regions are intended solely for storing data, such as variables, strings, and other information.
Executable: These regions are reserved for legitimate executable code, such as program instructions.
Hardware and Software Enforcement: DEP utilizes both hardware and software mechanisms to enforce this memory separation.
Hardware-enforced DEP (NX bit): Modern CPUs have a feature called the "NX bit" (No-eXecute bit), which allows the operating system to mark specific memory pages as non-executable.
Software-enforced DEP: In the absence of hardware support, Windows uses software-based techniques to emulate DEP functionality.
Protection Against Code Injection: When an application attempts to execute code from a non-executable memory region, DEP detects this anomaly and triggers an exception, terminating the process. This prevents attackers from injecting malicious code into a data area and then tricking the system into executing it.
Protection Against Buffer Overflows: DEP also protects against buffer overflow vulnerabilities, where an attacker sends more data to a program than it can handle, causing the excess data to overwrite adjacent memory locations. By marking certain memory areas as non-executable, DEP prevents the attacker's code from running even if it successfully overwrites the buffer.
Compatibility Considerations: While DEP is enabled by default for essential Windows programs and services, some older or legacy applications might not be compatible with DEP. In such cases, administrators can configure DEP exceptions for specific applications or processes.
Benefits:
Protection Against Malicious Code Execution: DEP significantly reduces the risk of malware and exploits that rely on code injection techniques.
Enhanced System Security: By enforcing memory separation and preventing code execution in non-executable regions, DEP strengthens the overall security posture of the system.
Mitigation of Zero-Day Exploits: DEP can be effective against zero-day exploits that attempt to inject and execute code in memory, as it provides a generic defense mechanism against this attack vector.
Limitations:
Not a Complete Solution: DEP is not a foolproof security measure. Attackers can develop techniques to bypass DEP or exploit vulnerabilities that do not rely on code injection.
Compatibility Issues: Some older applications might not function correctly with DEP enabled. Careful configuration is needed to ensure compatibility with legacy software.
Export Address Filtering (EAF)
Export Address Filtering (EAF) is an exploit mitigation technique implemented in Exploit Protection (EP), a component of Microsoft Defender for Endpoint. It specifically targets a common attack vector where malicious code scans the Export Address Table (EAT) of loaded modules to locate and utilize useful functions for their exploits.
EAT Protection: The Export Address Table (EAT) is a data structure within a Windows Dynamic-Link Library (DLL) that lists the functions the DLL exports, along with their memory addresses. Malicious code, especially shellcode, often iterates through the EAT to find specific functions within modules like ntdll.dll, kernel32.dll, and kernelbase.dll that they can exploit.
Memory Page Guarding: EAF applies PAGE_GUARD protection to the memory page within the export directory that contains the EAT. This protection essentially acts as a tripwire.
Exception Handling: When any code attempts to access this guarded memory page, it triggers a STATUS_GUARD_PAGE_VIOLATION exception. EAF's exception handler then analyzes the origin of the access attempt.
Legitimate vs. Malicious Access:
If the access comes from legitimate code within the module itself, the exception is handled gracefully, and execution continues as normal.
If the access originates from shellcode or other potentially malicious code outside the module, the exception is not handled, and the malicious process is terminated.
Benefits:
Protection Against Shellcode Attacks: EAF effectively mitigates a wide range of shellcode attacks that rely on scanning the EAT to locate functions for exploitation.
Enhanced System Security: By protecting the EAT, EAF makes it significantly more difficult for attackers to execute malicious code and gain unauthorized access to a system.
Low Performance Impact: EAF has a minimal impact on system performance because it only triggers when the guarded memory page is accessed, and the exception handling process is efficient.
Limitations:
Limited Scope: EAF only protects the EAT of specific modules (ntdll.dll, kernel32.dll, and kernelbase.dll by default). Attackers might still find ways to exploit other modules or use alternative techniques that don't involve scanning the EAT.
Potential for Bypass: While EAF is effective, determined attackers might discover ways to bypass it, such as by directly calculating function addresses instead of relying on the EAT.
Forced Address Space Layout Randomization (ASLR)
Forced Address Space Layout Randomization (ASLR) is a powerful exploit mitigation technique implemented in Exploit Protection (EP), a component of Microsoft Defender for Endpoint. It significantly enhances the security of a system by randomizing the memory addresses of key data areas of a process, making it significantly more difficult for attackers to exploit vulnerabilities.
Address Space Randomization: ASLR is based on the concept of randomizing the base address of executable modules (EXE and DLL files) when they are loaded into memory. This means that the location of code, data, and other structures within a module will vary each time the module is loaded, making it harder for attackers to predict memory addresses.
Forced Rebasing: While many modern applications and system components already have ASLR enabled by default, older applications might not. Forced ASLR in Exploit Protection goes a step further by forcefully rebasing all DLLs within a process, even those that were not compiled with ASLR support. This ensures that all modules within a process are randomized, regardless of their original compilation settings.
Protection Against Memory Corruption Exploits: Many exploits rely on knowing the exact memory addresses of specific code or data within a target process. For example, a buffer overflow attack might attempt to overwrite a specific function's return address on the stack to redirect execution flow to malicious code. ASLR makes such attacks much more difficult because the attacker can no longer reliably predict the target address.
Enhanced Randomization: To further increase security, Forced ASLR can be combined with another EP mitigation technique called "Randomize Memory Allocations (Bottom-up ASLR)." This technique randomizes the location of heap memory allocations, adding another layer of unpredictability to the memory layout.
Compatibility Considerations: While ASLR is generally safe and compatible with most applications, some older or poorly designed applications might have issues with the forced rebasing of DLLs. Exploit Protection allows administrators to create exceptions for specific applications if necessary.
Benefits:
Protection Against Memory Corruption Exploits: Forced ASLR significantly reduces the risk of successful memory corruption exploits, such as buffer overflows, use-after-free, and other attacks that rely on predictable memory layouts.
Enhanced System Security: By randomizing memory addresses, Forced ASLR strengthens the overall security posture of the system, making it much harder for attackers to exploit vulnerabilities.
Mitigation of Zero-Day Exploits: ASLR can be effective against zero-day exploits that attempt to exploit memory corruption vulnerabilities, as it introduces a level of randomness that makes exploitation more difficult.
Limitations:
Not a Complete Solution: While ASLR is a powerful mitigation technique, it is not a foolproof solution. Attackers can still employ various techniques to bypass ASLR, such as information leaks or brute-force attacks.
Potential Compatibility Issues: In some rare cases, Forced ASLR might cause compatibility issues with older applications that rely on fixed memory addresses.
Import Address Filtering (IAF)
Import Address Filtering (IAF) is a powerful exploit mitigation technique implemented within Exploit Protection (EP), a component of Microsoft Defender for Endpoint. IAF focuses on protecting the integrity of a process's Import Address Table (IAT) to prevent malicious code from tampering with it and executing unauthorized actions.
IAT Protection: The Import Address Table (IAT) is a crucial data structure within a Windows executable file (EXE) or dynamic-link library (DLL) that stores the addresses of functions imported from other modules. These functions are essential for the program's operation, enabling it to interact with the operating system and other libraries.
Memory Page Guarding: IAF applies PAGE_GUARD protection to the memory pages containing the IAT of loaded modules. This protection acts as a tripwire, triggering an exception whenever an attempt is made to write to these guarded pages.
Exception Handling: When a write attempt to the IAT occurs, the IAF exception handler meticulously analyzes the source of the access:
Legitimate Access: If the write operation originates from the module's own code (e.g., during dynamic linking), the exception is handled gracefully, and the execution proceeds as normal.
Malicious Access: If the write attempt comes from external code (e.g., injected shellcode), the exception is not handled, and the malicious process is terminated.
Protection Against IAT Hooking: IAT hooking is a common technique used by malware to hijack legitimate function calls. By modifying the addresses stored in the IAT, attackers can redirect execution to their malicious code. IAF effectively prevents this type of attack by blocking unauthorized modifications to the IAT.
Benefits:
Protection Against IAT Hooking: IAF significantly mitigates the risk of malicious code tampering with the IAT to hijack function calls and execute unauthorized actions.
Enhanced Application Security: By protecting the integrity of the IAT, IAF strengthens the overall security of applications and system processes, making them more resistant to compromise.
Low Performance Impact: IAF has a negligible impact on system performance because it only triggers when a write attempt to the IAT occurs, and the exception handling process is efficient.
Limitations:
Not a Universal Solution: While IAF is effective against IAT hooking, it doesn't protect against other types of exploits that don't involve modifying the IAT, such as memory corruption vulnerabilities or code injection techniques that target other areas of a process.
Potential for Bypass: Determined attackers might find ways to bypass IAF, such as by directly modifying the in-memory representation of the IAT without triggering the PAGE_GUARD protection.
Compatibility Note:
Import Address Filtering (IAF) is not compatible with .NET 2.0 due to the way .NET applications load and execute code. If .NET 2.0 is enabled on a system, using IAF is not recommended.
Validate API Invocations (CallerCheck)
Validate API Invocations (CallerCheck) is an exploit mitigation technique in Exploit Protection (EP), a feature within Microsoft Defender for Endpoint. It is specifically designed to defend against a class of attacks known as Return-Oriented Programming (ROP).
ROP Attacks: ROP is an advanced exploitation technique where attackers chain together short sequences of existing code, called "gadgets," to perform malicious actions. These gadgets typically end with a return instruction (RET), allowing attackers to manipulate the program's control flow and execute their desired code.
Sensitive API Monitoring: CallerCheck focuses on monitoring calls to sensitive Win32 APIs that are commonly used in ROP attacks, such as:
LoadLibraryA, LoadLibraryW, LoadLibraryExA, LoadLibraryExW, LdrLoadDll (for loading libraries)
VirtualAlloc, VirtualAllocEx, NtAllocateVirtualMemory (for memory allocation)
VirtualProtect, VirtualProtectEx, NtProtectVirtualMemory (for changing memory protections)
HeapCreate (for creating heaps)
Return Address Validation: When one of these sensitive APIs is called, CallerCheck intercepts the call and inspects the return address that has been passed to the function. This return address indicates where the program should resume execution after the API call is completed.
Heuristic Disassembly: CallerCheck performs a heuristic disassembly of the code leading up to the return address. It looks for a valid CALL instruction that would have called the API function with the correct parameters. This analysis helps determine if the return address is legitimate or has been manipulated by an attacker.
Blocking Malicious Calls: If CallerCheck determines that the return address is invalid or suspicious, it can block the API call, preventing the ROP attack from progressing.
Benefits:
Protection Against ROP Attacks: CallerCheck is a powerful tool for mitigating ROP attacks, which can be challenging to detect and prevent using traditional signature-based methods.
Enhanced Application Security: By validating API calls and blocking malicious ones, CallerCheck significantly strengthens the security of applications and system processes, making them more resistant to compromise.
Low Performance Impact: CallerCheck is designed to have a minimal impact on system performance, as it only intercepts and analyzes calls to specific sensitive APIs.
Limitations:
Not a Complete Solution: CallerCheck is not a silver bullet for ROP attacks. Determined attackers may still find ways to bypass it, such as by crafting ROP gadgets that evade the heuristic analysis.
Focused on Specific APIs: CallerCheck only protects against ROP attacks that target the monitored Win32 APIs. Other types of exploits that don't rely on these APIs may not be detected.
Structured Exception Handler Overwrite Protection (SEHOP)
Structured Exception Handler Overwrite Protection (SEHOP), is an exploit mitigation technique in Windows operating systems. It protects against a class of attacks that exploit vulnerabilities in how programs handle exceptions.
Exception Handling: When an error or unusual condition occurs in a program (like dividing by zero or accessing invalid memory), it raises an exception. Structured Exception Handling (SEH) is a mechanism that allows the program to gracefully handle these exceptions and potentially recover from the error.
Exception Chain: In SEH, each function in the program can register its own exception handler. These handlers form a linked list called the exception chain. When an exception occurs, the operating system walks through this chain, starting from the most recently registered handler, until it finds one that can handle the exception.
SEH Overwrite Exploitation: Attackers can exploit vulnerabilities in programs to overwrite entries in the exception chain. This allows them to redirect the flow of execution to their own malicious code when an exception occurs.
SEHOP Protection: SEHOP introduces a security cookie at the end of the exception chain. Before an exception handler is called, SEHOP verifies that the cookie is intact. If the cookie has been modified, it indicates that the exception chain has been tampered with, and SEHOP terminates the program.
Benefits:
Protection Against SEH Overwrite Attacks: SEHOP effectively mitigates a wide range of SEH overwrite attacks, preventing attackers from hijacking program execution through corrupted exception chains.
Enhanced Application Security: By protecting the integrity of exception chains, SEHOP strengthens the security of applications and system processes, making them more resistant to compromise.
Mitigation of Zero-Day Exploits: SEHOP can be effective against zero-day exploits that attempt to exploit SEH overwrite vulnerabilities, as it provides a generic defense mechanism against this type of attack.
Limitations:
Limited Scope: SEHOP only protects against attacks that target SEH. It does not protect against other types of exploits that don't involve exception handling mechanisms.
Compatibility Issues: Some older applications or software libraries might not be compatible with SEHOP due to the way they handle exceptions. In such cases, administrators can disable SEHOP for specific applications or processes if necessary.
Control Flow Guard (CFG)
Control Flow Guard (CFG) is an exploit mitigation technique implemented within Exploit Protection (EP), a component of Microsoft Defender for Endpoint. It is specifically designed to protect against a class of vulnerabilities known as control-flow hijacking attacks, which are often exploited by malware.
Indirect Call Target Validation: CFG focuses on verifying the integrity of indirect calls within a program. Indirect calls are those where the target address of the call is determined at runtime, rather than being explicitly encoded in the program's instructions. These calls are often used for legitimate purposes, such as calling virtual functions or dynamically loaded functions. However, attackers can exploit vulnerabilities to manipulate these calls and redirect the program's execution flow to malicious code.
Control Flow Integrity (CFI): CFG enforces a strict policy of control flow integrity by ensuring that indirect calls only reach valid destinations. It does this by building a bitmap at compile time that represents all valid indirect call targets within the program. At runtime, whenever an indirect call is made, CFG checks the target address against this bitmap. If the target address is not found in the bitmap, the call is deemed invalid and blocked, preventing the potential execution of malicious code.
Performance Optimization: CFG is designed to be highly optimized for performance. It uses a compact bitmap representation and efficient validation algorithms to minimize overhead and ensure that the protection does not significantly impact the application's performance.
Compiler and Linker Integration: CFG requires cooperation from both the compiler and the linker to function properly. The compiler adds special metadata to the program's binary file that describes the layout of the indirect call targets. The linker then uses this metadata to build the CFG bitmap and enforce the CFI policy at runtime.
Benefits:
Protection Against Control-Flow Hijacking Attacks: CFG effectively mitigates a wide range of control-flow hijacking attacks, including those that exploit vulnerabilities in software or manipulate return addresses on the stack.
Enhanced Application Security: By enforcing control flow integrity, CFG significantly strengthens the security of applications and system processes, making them more resistant to compromise.
Mitigation of Zero-Day Exploits: CFG can protect against zero-day vulnerabilities that exploit control-flow hijacking techniques, as it provides a generic defense mechanism against this type of attack.
Limitations:
Requires Compiler and Linker Support: CFG can only be applied to programs that have been compiled and linked with CFG support enabled. Older programs or those compiled with incompatible compilers may not be protected by CFG.
Not a Complete Solution: CFG is not a silver bullet for all types of attacks. It focuses on protecting against control-flow hijacking attacks and does not address other vulnerabilities, such as memory corruption issues that could be exploited using techniques like data-only attacks.
Use StrictHandleExceptions
The Exploit Protection (EP) mitigation technique "Use StrictHandleExceptions" is designed to enhance the security of applications by preventing the closing of handles when an exception occurs. This is important because certain types of vulnerabilities, such as use-after-free vulnerabilities, can be exploited by malicious actors when handles are prematurely closed.
Handle Management: In Windows, handles are used to represent references to system resources, such as files, network connections, and processes. When an application no longer needs a resource, it should close the associated handle to release the resource back to the system.
Exception Handling: Exceptions are events that occur during the execution of a program that disrupt the normal flow of instructions. These events can be caused by errors, such as division by zero, or by unexpected conditions, such as invalid user input. When an exception occurs, the program can either handle it gracefully or crash.
Strict Handle Exception Behavior: When "Use StrictHandleExceptions" is enabled, the system modifies the default behavior of exception handling. If an exception occurs within a function or block of code that opened a handle, the system will not allow the handle to be closed until the exception has been fully handled. This means that even if the code attempts to close the handle using the CloseHandle function, the handle will remain open until the exception handling process is complete.
Protection Against Use-After-Free Vulnerabilities: Use-after-free vulnerabilities occur when a program frees a block of memory but continues to use the corresponding handle. Attackers can exploit these vulnerabilities by manipulating the freed memory region and causing the program to execute malicious code. By preventing the premature closing of handles, "Use StrictHandleExceptions" makes it more difficult for attackers to exploit use-after-free vulnerabilities.
Compatibility Considerations: Enabling "Use StrictHandleExceptions" can potentially introduce compatibility issues with some applications. Certain programs might rely on the ability to close handles immediately after an exception occurs. If you encounter compatibility issues, you can disable this mitigation for specific applications or processes.
Benefits:
Protection Against Use-After-Free Vulnerabilities: This mitigation significantly reduces the risk of exploitation of use-after-free vulnerabilities, a common class of security flaws.
Enhanced Application Security: By preventing the premature closing of handles, the mitigation strengthens the overall security of applications, making them more resilient to attacks.
Limitations:
Limited Scope: This mitigation only addresses vulnerabilities related to handle closing during exception handling. It does not protect against other types of vulnerabilities or exploits.
Potential Compatibility Issues: Some applications might not function correctly with this mitigation enabled. Careful configuration and testing are required to ensure compatibility.
Terminate On Heap Corruption
The Exploit Protection (EP) mitigation technique "Terminate On Heap Corruption" is a proactive defense mechanism designed to enhance the security of applications and the operating system by immediately terminating processes that exhibit heap corruption.
Heap Monitoring: The heap is a dynamic memory region used by applications to allocate and deallocate memory during runtime. Heap corruption occurs when a program writes data beyond the boundaries of an allocated heap block, potentially overwriting adjacent memory locations. This can lead to crashes, instability, and, in the worst-case scenario, allow an attacker to execute arbitrary code.
Corruption Detection: The "Terminate On Heap Corruption" mitigation continuously monitors the heap for signs of corruption. It does this by employing various techniques, such as:
Guard Pages: Placing special "guard pages" at the end of heap allocations. Any attempt to write beyond the allocated space triggers an access violation, allowing the mitigation to detect the corruption.
Heap Metadata Checks: Verifying the integrity of internal heap structures and metadata that track the allocation and usage of memory blocks. Inconsistencies in this metadata can indicate corruption.
Process Termination: When the mitigation detects heap corruption, it takes decisive action by immediately terminating the affected process. This prevents the corruption from spreading and potentially causing further damage to the system.
Logging and Reporting: The mitigation logs the event of heap corruption detection and process termination. This information is crucial for security teams to analyze the cause of the corruption, identify potential vulnerabilities in applications, and take corrective measures.
Benefits:
Protection Against Heap-Based Exploits: Many exploits target heap corruption vulnerabilities to gain control of a system. By promptly terminating processes that exhibit heap corruption, this mitigation prevents such attacks from succeeding.
Enhanced Application Stability: Heap corruption can lead to unexpected crashes and instability in applications. Terminating the affected process helps prevent these issues and improves the overall reliability of the software.
Protection Against Zero-Day Exploits: This mitigation can be effective against zero-day exploits that target heap vulnerabilities, as it detects the resulting corruption regardless of the specific exploit technique used.
Limitations:
Potential for Disruptions: In rare cases, legitimate applications might trigger false positives due to unusual memory usage patterns. This could lead to the unexpected termination of critical processes. Administrators can configure exceptions for specific applications or processes to avoid such disruptions.
Limited Scope: The mitigation focuses specifically on heap corruption. It does not protect against other types of vulnerabilities, such as stack buffer overflows or integer overflows.
Simulate Execution (SimExec)
Simulate Execution (SimExec) is an exploit mitigation technique in Exploit Protection (EP), specifically designed for 32-bit applications. It aims to detect and prevent exploits that manipulate the normal flow of execution within a program, particularly those that use Return Oriented Programming (ROP).
Call Interception: SimExec intercepts calls to sensitive APIs (Application Programming Interfaces) within the targeted application. These are functions commonly used by attackers to manipulate the program's execution flow.
Assembly Code Simulation: Instead of directly executing the intercepted API call, SimExec simulates its execution by walking through the encoded assembly language instructions. The simulation tracks the program counter and register values, mimicking the behavior of the actual execution.
Return Address Validation: During the simulation, SimExec pays particular attention to the RET (return) instruction. This instruction is crucial in determining where the program should resume execution after the API call. SimExec validates whether the RET instruction points back to a legitimate caller function within the application's code.
Call Instruction Verification: SimExec also analyzes the code before the RET instruction to find the corresponding CALL instruction that initiated the API call. It then verifies that the CALL instruction and the RET instruction match, ensuring that the return path is valid and hasn't been tampered with.
Blocking Malicious Calls: If SimExec detects an inconsistency between the CALL and RET instructions or finds that the RET instruction points to a suspicious location, it considers the API call malicious and blocks it. This prevents the exploit from manipulating the program's execution flow and performing unauthorized actions.
Benefits:
Protection Against ROP Attacks: SimExec is highly effective in mitigating ROP exploits, which can be difficult to detect using traditional signature-based methods.
Enhanced Application Security: By validating the integrity of API calls and preventing malicious execution flow manipulations, SimExec significantly strengthens the security of 32-bit applications.
Low Performance Impact: SimExec has a minimal impact on system performance, as it only simulates the execution of specific API calls rather than the entire program.
Limitations:
Limited to 32-Bit Applications: SimExec is only applicable to 32-bit applications and does not work with 64-bit processes.
Potential for False Positives: In rare cases, SimExec might misinterpret legitimate API calls as malicious, leading to false positives and potential application crashes.
Not a Complete Solution: While SimExec effectively addresses ROP attacks, it does not protect against other types of exploits that manipulate program execution flow in different ways.
Block Low Integrity Images
The Exploit Protection (EP) mitigation technique "Block Low Integrity Images" is a security measure designed to prevent the execution of untrusted code by blocking the loading of executable files marked with low integrity levels.
Integrity Levels: In Windows, processes and files are assigned integrity levels to indicate their trustworthiness. These levels range from Low to System, with higher levels representing greater trust. Processes with low integrity are often associated with untrusted or potentially malicious activities, such as those originating from the internet or unknown sources.
Image Loading Monitoring: The "Block Low Integrity Images" mitigation actively monitors attempts to load executable images (EXE, DLL) into memory. It specifically checks the integrity level associated with the image file being loaded.
Blocking Mechanism: If the integrity level of the executable image is determined to be low, the mitigation prevents it from being loaded into memory. This is achieved by intercepting the system call that maps the image file into the process's address space, returning an error code that blocks the image from executing.
Protection Against Untrusted Code: By blocking low integrity images, the mitigation effectively prevents the execution of potentially malicious code that originates from untrusted sources. This includes:
Downloaded executables from the internet
Files from untrusted network shares
Attachments from suspicious emails
Code injected by malware
Compatibility Considerations: Blocking low integrity images might interfere with some legitimate applications that are designed to run with lower privileges. Administrators can create exceptions for specific applications or processes if necessary.
Benefits:
Protection Against Untrusted Code Execution: This mitigation significantly reduces the risk of executing malicious code that originates from untrusted sources, thus preventing potential system compromise.
Enhanced Security for Low-Privileged Processes: By blocking the loading of low integrity images, the mitigation helps prevent attackers from exploiting vulnerabilities in low-privileged processes to gain a foothold in the system.
Mitigation of Zero-Day Exploits: The mitigation can be effective against zero-day exploits that attempt to execute code with low integrity, as it provides a generic defense mechanism against this attack vector.
Limitations:
Not a Complete Solution: While this mitigation is effective against a specific type of attack, it does not protect against other potential threats, such as malicious code that is already present on the system or attacks that exploit vulnerabilities in applications without loading low integrity images.
Requires Careful Configuration: Blocking low integrity images can disrupt the functionality of some legitimate applications. Administrators must carefully configure exceptions to ensure that critical applications can still function correctly.
Block Non-Microsoft Signed Binaries
The Exploit Protection (EP) mitigation technique "Block Non-Microsoft Signed Binaries" is designed to enhance security by preventing the execution of executable files that lack a valid digital signature from Microsoft. This proactive measure aims to protect systems from potentially malicious or tampered-with software.
Binary Verification: When a user or process attempts to run an executable file (EXE or DLL), the mitigation intercepts the request and verifies the file's digital signature. Digital signatures are cryptographic mechanisms used to authenticate the software publisher and ensure the file's integrity.
Signature Validation: The mitigation checks if the digital signature is:
Valid: The signature has not been tampered with, and the file is in its original state.
Issued by Microsoft: The signature is from a trusted Microsoft certificate authority.
Blocking or Auditing: If the file lacks a valid Microsoft signature or the signature is invalid, the mitigation takes action based on the configured setting:
Block: Prevents the executable file from running, effectively stopping any potential malicious activity.
Audit: Allows the file to run but logs an event in the Windows Event Log, alerting administrators of the attempted execution of an unsigned binary.
Exception for Microsoft Store Apps: By default, the mitigation also allows the execution of binaries signed by the Microsoft Store, as these apps undergo a rigorous verification process.
Benefits:
Protection Against Unauthorized Software: The mitigation helps prevent the execution of unauthorized or malicious software that has not been verified by Microsoft.
Mitigation of Supply Chain Attacks: It can protect against attacks where malicious actors compromise legitimate software distribution channels and insert malware into signed binaries.
Enhanced Security Posture: By enforcing strict code signing requirements, the mitigation significantly reduces the attack surface of the system.
Limitations:
Incompatibility with Third-Party Software: Many legitimate applications are not signed by Microsoft. Blocking all non-Microsoft signed binaries can lead to compatibility issues and prevent users from running necessary software.
False Positives: In rare cases, the mitigation might block legitimate software that has a valid signature but is not recognized by Microsoft Defender.
Not a Complete Solution: While this mitigation is effective against a specific type of threat, it does not protect against other attack vectors, such as vulnerabilities in signed software or attacks that do not involve executable files.
Audit Non-System Fonts
The Exploit Protection (EP) mitigation technique "Audit Non-System Fonts" is a security measure designed to monitor and log attempts to load font files from locations other than the standard system fonts directory. It serves as an early warning system, helping administrators detect potential threats and vulnerabilities related to font parsing.
Font Loading Monitoring: The mitigation actively monitors all font loading operations initiated by applications or processes. It focuses specifically on fonts that are not located in the default system fonts directory (%windir%\Fonts).
Non-System Font Detection: When an application attempts to load a font file from a non-standard location, such as a user's downloads folder, a temporary directory, or a network share, the mitigation detects this event.
Logging and Auditing: Instead of blocking the font loading, the mitigation logs a detailed event in the Windows Event Log. This log entry includes information about the process attempting to load the font, the file path of the font, and the time of the event.
Threat Detection and Analysis: By analyzing the logged events, security teams can identify potentially suspicious font loading attempts. This can be particularly useful in detecting:
Malicious Documents: Font files embedded in documents can sometimes be used to exploit vulnerabilities in font parsing libraries.
Web-Based Attacks: Websites can attempt to load malicious fonts to compromise visitors' systems.
Zero-Day Exploits: Font parsing vulnerabilities can be exploited even before patches are available. The audit logs can help detect such attacks in real time.
Benefits:
Early Warning System: The "Audit Non-System Fonts" mitigation acts as an early warning system, alerting administrators to potential font-based threats before they cause harm.
Threat Detection and Analysis: The detailed audit logs provide valuable information for security teams to investigate suspicious activities, identify vulnerabilities, and take proactive measures to mitigate risks.
Minimal Impact on Legitimate Applications: Unlike the "Block Untrusted Fonts" mitigation, this technique does not prevent the loading of non-system fonts, minimizing disruptions to legitimate applications that might require loading fonts from non-standard locations.
Limitations:
Does Not Block Fonts: This mitigation only audits and logs font loading attempts. It does not actively prevent the loading of potentially malicious fonts. Therefore, it is important to combine this technique with other security measures, such as antivirus software and web filtering, to provide comprehensive protection.
Requires Active Monitoring: The audit logs need to be actively monitored to be effective. Organizations need to have processes in place to review the logs and respond to potential threats in a timely manner.
Last updated