使用攻击面减少规则防止恶意软件感染Use attack surface reduction rules to prevent malware infection

重要

改进的 Microsoft 365 安全 中心现已提供公共预览版。The improved Microsoft 365 security center is now available in public preview. 这一全新体验将 Defender for Endpoint、Defender for Office 365、Microsoft 365 Defender 等引入 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new. 本主题可能同时适用于 Microsoft Defender for Endpoint 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. 请参阅 "适用于"部分 ,并查找本文中可能存在差异的特定调用。Refer to the Applies To section and look for specific call outs in this article where there might be differences.

适用于:Applies to:

攻击面减少规则为什么很重要Why attack surface reduction rules are important

组织的攻击面包括攻击者可能破坏组织设备或网络的所有位置。Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. 减少攻击面意味着保护组织的设备和网络,这将减少攻击者执行攻击的方法。Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. 在 Microsoft Defender for Endpoint 中配置攻击面减少规则会有所帮助!Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!

攻击面减少规则针对某些软件行为,例如:Attack surface reduction rules target certain software behaviors, such as:

  • 启动尝试下载或运行文件的可执行文件和脚本;Launching executable files and scripts that attempt to download or run files;
  • 运行模糊或其他可疑脚本;和Running obfuscated or otherwise suspicious scripts; and
  • 执行应用在正常日常工作期间通常不会启动的行为。Performing behaviors that apps don't usually initiate during normal day-to-day work.

此类软件行为有时在合法应用程序中出现;但是,通常认为这些行为有风险,因为它们通常被攻击者通过恶意软件滥用。Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. 攻击面减少规则可以限制风险行为并帮助确保组织安全。Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.

有关配置攻击面减少规则的信息,请参阅"启用攻击面减少规则"。For more information about configuring attack surface reduction rules, see Enable attack surface reduction rules.

在部署之前评估规则影响Assess rule impact before deployment

可以通过在威胁和漏洞管理中打开该规则的安全建议来评估攻击面减少规则对网络 的影响You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in threat and vulnerability management.

攻击面减少规则的安全成本

在建议详细信息窗格中,检查用户影响以确定设备可接受在阻止模式下启用规则的新策略的百分比,而不会对工作效率产生不利影响。In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.

评估审核模式Audit mode for evaluation

使用 审核模式 评估攻击面减少规则启用后对组织的影响。Use audit mode to evaluate how attack surface reduction rules would affect your organization if they were enabled. 首先在审核模式下运行所有规则,以便了解它们如何影响业务线应用程序。Run all rules in audit mode first so you can understand how they affect your line-of-business applications. 许多业务线应用程序都是以有限的安全问题编写的,它们执行任务的方式可能类似于恶意软件。Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. 通过监视审核数据 并添加 必要应用程序的排除项,可以部署攻击面减少规则,而不会降低工作效率。By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without reducing productivity.

用户警告模式Warn mode for users

(!) 警告模式功能之前,已启用的攻击面减少规则可以设置为审核模式或阻止模式。(NEW!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. 使用新的警告模式,只要受攻击面减少规则阻止内容,用户就会看到一个指示内容被阻止的对话框。With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. 该对话框还允许用户选择取消阻止内容。The dialog box also offers the user an option to unblock the content. 然后,用户可以重试其操作,操作完成。The user can then retry their action, and the operation completes. 当用户取消阻止内容时,内容将保持未阻止状态 24 小时,然后阻止恢复。When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.

警告模式可帮助组织制定攻击面减少规则,而不会阻止用户访问执行其任务所需的内容。Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.

警告模式运行要求Requirements for warn mode to work

运行以下版本的 Windows 的设备上支持警告模式:Warn mode is supported on devices running the following versions of Windows:

Microsoft Defender 防病毒必须在活动模式下使用实时 保护运行Microsoft Defender Antivirus must be running with real-time protection in Active mode.

此外,请确保安装了 Microsoft Defender 防病毒和反恶意软件 更新。In addition, make sure Microsoft Defender Antivirus and antimalware updates are installed.

  • 最低平台发布要求:Minimum platform release requirement: 4.18.2008.9
  • 最低引擎发布要求:Minimum engine release requirement: 1.1.17400.5

有关详细信息和获取更新,请参阅 Microsoft Defender 反 恶意软件平台的更新For more information and to get your updates, see Update for Microsoft Defender antimalware platform.

不支持警告模式的情况Cases where warn mode is not supported

以下攻击面减少规则不支持警告模式:Warn mode is not supported for the following attack surface reduction rules:

此外,运行较早版本的 Windows 的设备上不支持警告模式。In addition, warn mode is not supported on devices running older versions of Windows. 在这种情况下,配置为在警告模式下运行的攻击面减少规则将在阻止模式下运行。In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.

通知和警报Notifications and alerts

每当触发攻击面减少规则时,都会在设备上显示一条通知。Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. 你可以使用公司的详细信息和联系人信息自定义通知You can customize the notification with your company details and contact information.

此外,当触发某些攻击面减少规则时,将生成警报。In addition, when certain attack surface reduction rules are triggered, alerts are generated.

可在 Microsoft Defender 安全中心 () 和 https://securitycenter.windows.com Microsoft 365 安全中心 () 。 https://security.microsoft.comNotifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center (https://securitycenter.windows.com) and in the Microsoft 365 security center (https://security.microsoft.com).

高级搜寻和攻击面减少事件Advanced hunting and attack surface reduction events

可以使用高级搜寻来查看攻击面减少事件。You can use advanced hunting to view attack surface reduction events. 为了简化传入数据的数量,只有每小时的唯一进程才能通过高级搜寻进行查看。To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. 攻击面减少事件的时间是在一小时内首次看到该事件。The time of an attack surface reduction event is the first time that event is seen within the hour.

例如,假设攻击面减少事件发生在下午 2:00 的 10 台设备上。For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. 假设第一个事件发生在 2:15,最后一个事件发生在 2:45。Suppose that the first event occurred at 2:15, and the last at 2:45. 使用高级搜寻,你将看到该事件的一个实例 (即使该事件实际发生在 10 台设备上) ,其时间戳将为下午 2:15。With advanced hunting, you'll see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM.

有关高级搜寻详细信息,请参阅使用高级搜寻 主动搜寻威胁For more information about advanced hunting, see Proactively hunt for threats with advanced hunting.

跨 Windows 版本的攻击面减少功能Attack surface reduction features across Windows versions

你可以为运行以下任一版本的 Windows 的设备设置攻击面减少规则:You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:

尽管攻击面减少规则不需要 Windows E5许可证,但如果拥有 Windows E5,则获得高级管理功能。Although attack surface reduction rules don't require a Windows E5 license, if you have Windows E5, you get advanced management capabilities. 这些功能仅在 Windows E5 中可用,包括 Defender for Endpoint中提供的监视、分析和工作流,以及 Microsoft 365安全中心中的报告和配置功能。These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in Defender for Endpoint, as well as reporting and configuration capabilities in the Microsoft 365 security center. 这些高级功能不适用于 Windows Professional 或 Windows E3 许可证;但是,如果你有这些许可证,可以使用事件查看器和 Microsoft Defender 防病毒日志查看攻击面减少规则事件。These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.

在 Microsoft Defender 安全中心中查看攻击面减少事件Review attack surface reduction events in the Microsoft Defender Security Center

Defender for Endpoint 提供有关事件和阻止的详细报告,作为警报调查方案的一部分。Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios.

可以使用高级搜寻查询 Defender 的终结点 数据You can query Defender for Endpoint data by using advanced hunting. 如果你运行的是审核 模式,可以使用高级搜寻来了解攻击面减少规则如何影响你的环境。If you're running audit mode, you can use advanced hunting to understand how attack surface reduction rules could affect your environment.

示例查询如下所示:Here is an example query:

DeviceEvents
| where ActionType startswith 'Asr'

在 Windows 事件查看器中查看攻击面减少事件Review attack surface reduction events in Windows Event Viewer

你可以查看 Windows 事件日志以查看攻击面减少规则生成的事件:You can review the Windows event log to view events generated by attack surface reduction rules:

  1. 下载评估包,将cfa-events.xml文件解** 压缩到设备上易于访问的位置。Download the Evaluation Package and extract the file cfa-events.xml to an easily accessible location on the device.
  2. 在"开始"菜单中 输入单词事件查看器以打开 Windows 事件查看器。Enter the words, Event Viewer, into the Start menu to open the Windows Event Viewer.
  3. "操作"下 ,选择"导入自定义视图..."。Under Actions, select Import custom view....
  4. 从 *cfa-events.xml文件 * 的位置选择文件。Select the file cfa-events.xml from where it was extracted. 或者,直接复制 XMLAlternatively, copy the XML directly.
  5. 选择“确定”****。Select OK.

您可以创建一个自定义视图,以筛选事件以只显示下列事件,所有这些事件均与受控文件夹访问权限相关:You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:

事件 IDEvent ID 描述Description
50075007 更改设置时的事件Event when settings are changed
11211121 在阻止模式中触发规则时的事件Event when rule fires in Block-mode
11221122 在审核模式中触发规则时的事件Event when rule fires in Audit-mode

事件日志中针对攻击面减少事件列出的"引擎版本"由 Defender for Endpoint 生成,而不是由操作系统生成。The "engine version" listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint 与 Windows 10 集成,因此此功能适用于安装了 Windows 10 的所有设备。Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.

攻击面减少规则Attack surface reduction rules

下表和小节介绍了 15 个攻击面减少规则中的每个规则。The following table and subsections describe each of the 15 attack surface reduction rules. 攻击面减少规则按字母顺序、规则名称列出。The attack surface reduction rules are listed in alphabetical order, by rule name.

如果使用组策略或 PowerShell 配置攻击面减少规则,则需要 GUID。If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. 另一方面,如果使用 Microsoft Endpoint Manager 或 Microsoft Intune,则不需要 GUID。On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs.

规则名称Rule name GUIDGUID 文件&文件夹排除项File & folder exclusions 支持的最低操作系统Minimum OS supported
阻止 Adobe Reader 创建子进程Block Adobe Reader from creating child processes 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止所有 Office 应用程序创建子进程Block all Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止从 Windows 本地安全颁发机构子系统窃取 (lsass.exe) Block credential stealing from the Windows local security authority subsystem (lsass.exe) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止来自电子邮件客户端和 Web 邮件的可执行内容Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止可执行文件运行,除非它们满足普遍、年龄或受信任的列表条件Block executable files from running unless they meet a prevalence, age, or trusted list criterion 01443614-cd74-433a-b99e-2ecdc07bfc25 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止执行可能混淆的脚本Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止 JavaScript 或 VBScript 启动下载的可执行内容Block JavaScript or VBScript from launching downloaded executable content D3E037E1-3EB8-44C8-A917-57927947596D 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止 Office 应用程序创建可执行内容Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止 Office 应用程序将代码注入其他进程Block Office applications from injecting code into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止 Office 通信应用程序创建子进程Block Office communication application from creating child processes 26190899-1602-49e8-8b27-eb1d0a1ce869 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
通过 WMI 事件订阅阻止持久性Block persistence through WMI event subscription e6db77e5-3df2-4cf1-b95a-636979351e5b 不支持Not supported Windows 10 版本 1903 ( 版本 18362) 或更高Windows 10, version 1903 (build 18362) or greater
阻止源自 PSExec 和 WMI 命令的进程创建Block process creations originating from PSExec and WMI commands d1e49aac-8f56-4280-b9ba-993a6d77406c 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止从 USB 运行的不受信任的和未签名的进程Block untrusted and unsigned processes that run from USB b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
阻止从 Office 宏调用 Win32 APIBlock Win32 API calls from Office macros 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater
对勒索软件使用高级保护Use advanced protection against ransomware c1db55ab-c21a-4637-bb3f-a12568109d35 支持Supported Windows 10 版本 1709 (RS3,内部版本 16299) 或更高Windows 10, version 1709 (RS3, build 16299) or greater

阻止 Adobe Reader 创建子进程Block Adobe Reader from creating child processes

此规则通过阻止 Adobe Reader 创建进程来阻止攻击。This rule prevents attacks by blocking Adobe Reader from creating processes.

通过社交工程或攻击,恶意软件可以下载和启动有效负载,并退出 Adobe Reader。Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. 通过阻止 Adobe Reader 生成子进程,阻止试图将其用作矢量的恶意软件传播。By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Process creation from Adobe Reader (beta)

Configuration Manager 名称:尚不可用Configuration Manager name: Not yet available

GUID:GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

阻止所有 Office 应用程序创建子进程Block all Office applications from creating child processes

此规则阻止 Office 应用创建子进程。This rule blocks Office apps from creating child processes. Office 应用程序包括 Word、Excel、PowerPoint、OneNote 和 Access。Office apps include Word, Excel, PowerPoint, OneNote, and Access.

创建恶意子进程是常见的恶意软件策略。Creating malicious child processes is a common malware strategy. 滥用 Office 作为矢量的恶意软件通常会运行 VBA 宏和攻击代码来下载并尝试运行更多负载。Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. 但是,某些合法的业务线应用程序也可能出于恶意目的生成子进程,例如生成命令提示符或使用 PowerShell 配置注册表设置。However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Office apps launching child processes

Configuration Manager 名称:Configuration Manager name: Block Office application from creating child processes

GUID:GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

阻止从 Windows 本地安全颁发机构子系统窃取凭据Block credential stealing from the Windows local security authority subsystem

此规则通过锁定 LSASS (本地安全颁发机构子系统服务来帮助防止凭据) 。This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).

LSASS 对登录 Windows 计算机的用户进行身份验证。LSASS authenticates users who sign in on a Windows computer. Windows 10 中的 Microsoft Defender Credential Guard 通常会阻止尝试从 LSASS 中提取凭据。Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. 但是,由于自定义智能卡驱动程序或其他加载到本地安全机构 (LSA) 的程序的兼容性问题,某些组织无法在所有计算机上启用 Credential Guard。However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). 在这些情况下,攻击者可以使用 Mimikatz 等黑客工具从 LSASS 中清除明文密码和 NTLM 哈希。In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.

备注

在某些应用中,该代码枚举所有正在运行的进程,并尝试使用详尽权限打开它们。In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. 此规则拒绝应用的进程打开操作,将详细信息记录到安全事件日志中。This rule denies the app's process open action and logs the details to the security event log. 此规则会产生大量噪音。This rule can generate a lot of noise. 如果你的应用仅枚举 LSASS,但在功能方面没有实际影响,则无需将其添加到排除列表。If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. 此事件日志条目本身不一定表示恶意威胁。By itself, this event log entry doesn't necessarily indicate a malicious threat.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Flag credential stealing from the Windows local security authority subsystem

Configuration Manager 名称:Configuration Manager name: Block credential stealing from the Windows local security authority subsystem

GUID:GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

阻止来自电子邮件客户端和 Web 邮件的可执行内容Block executable content from email client and webmail

此规则阻止以下文件类型从在 Microsoft Outlook 应用程序内打开的电子邮件启动,或Outlook.com其他热门 Web 邮件提供程序启动:This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:

  • 可执行文件(如 .exe、.dll 或 .scr)Executable files (such as .exe, .dll, or .scr)
  • 脚本文件 (PowerShell .ps、Visual Basic .vbs 或 JavaScript .js 文件) Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)

此规则在:This rule was introduced in:

Intune 名称:Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)

Microsoft Endpoint Manager 名称:Microsoft Endpoint Manager name: Block executable content from email client and webmail

GUID:GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

备注

阻止 来自电子邮件客户端和 Webmail 的可执行内容的规则具有以下替代说明,具体取决于你使用的应用程序:The rule Block executable content from email client and webmail has the following alternative descriptions, depending on which application you use:

  • Intune (Configuration Profiles) : execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) .Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions).
  • 终结点管理器:阻止从电子邮件和 Webmail 客户端下载可执行内容。Endpoint Manager: Block executable content download from email and webmail clients.
  • 组策略:阻止来自电子邮件客户端和 Webmail 的可执行内容。Group Policy: Block executable content from email client and webmail.

阻止可执行文件运行,除非它们满足普遍、年龄或受信任的列表条件Block executable files from running unless they meet a prevalence, age, or trusted list criterion

此规则阻止启动以下文件类型,除非它们符合普遍或年龄条件,或者它们位于受信任的列表或排除列表中:This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:

  • 可执行文件(如 .exe、.dll 或 .scr)Executable files (such as .exe, .dll, or .scr)

启动不受信任的或未知的可执行文件可能存在风险,因为最初可能不明确这些文件是否恶意。Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.

重要

必须 启用云保护才能 使用此规则。You must enable cloud-delivered protection to use this rule.

除非 可执行文件符合 具有 GUID 的流行程度、年龄或受信任列表条件,否则阻止其运行的规则归 Microsoft 所有,且管理员 01443614-cd74-433a-b99e-2ecdc07bfc25 未指定。The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. 此规则使用云保护定期更新其受信任列表。This rule uses cloud-delivered protection to update its trusted list regularly.

可以使用文件夹路径或完全限定的资源 (指定单个文件或文件夹) 但无法指定适用于哪些规则或排除项。You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Executables that don't meet a prevalence, age, or trusted list criteria

Configuration Manager 名称:Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria

GUID:GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25

阻止执行可能混淆的脚本Block execution of potentially obfuscated scripts

此规则检测模糊脚本中的可疑属性。This rule detects suspicious properties within an obfuscated script.

脚本模糊处理是恶意软件作者和合法应用程序都用于隐藏知识产权或缩短脚本加载次数的常见技术。Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. 恶意软件作者还使用模糊处理使恶意代码更难阅读,从而阻止人员和安全软件进行密切审查。Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Obfuscated js/vbs/ps/macro code

Configuration Manager 名称:Configuration Manager name: Block execution of potentially obfuscated scripts

GUID:GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

阻止 JavaScript 或 VBScript 启动下载的可执行内容Block JavaScript or VBScript from launching downloaded executable content

此规则阻止脚本启动潜在恶意下载的内容。This rule prevents scripts from launching potentially malicious downloaded content. 用 JavaScript 或 VBScript 编写的恶意软件通常充当从 Internet 获取和启动其他恶意软件的下载程序。Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.

虽然不常见,但业务线应用程序有时使用脚本下载和启动安装程序。Although not common, line-of-business applications sometimes use scripts to download and launch installers.

此规则在:This rule was introduced in:

Intune 名称:Intune name: js/vbs executing payload downloaded from Internet (no exceptions)

Configuration Manager 名称:Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content

GUID:GUID: D3E037E1-3EB8-44C8-A917-57927947596D

阻止 Office 应用程序创建可执行内容Block Office applications from creating executable content

此规则阻止将恶意代码写入磁盘,从而阻止 Office 应用(包括 Word、Excel 和 PowerPoint)创建潜在恶意可执行内容。This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.

滥用 Office 作为矢量的恶意软件可能会尝试从 Office 中退出,将恶意组件保存到磁盘。Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. 这些恶意组件在计算机重启后将生存下来,并且会一直保留到系统中。These malicious components would survive a computer reboot and persist on the system. 因此,此规则可以防御常见的持久性技术。Therefore, this rule defends against a common persistence technique.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Office apps/macros creating executable content

SCCM 名称:SCCM name: Block Office applications from creating executable content

GUID:GUID: 3B576869-A4EC-4529-8536-B80A7769E899

阻止 Office 应用程序将代码注入其他进程Block Office applications from injecting code into other processes

此规则阻止从 Office 应用向其他进程注入代码的尝试。This rule blocks code injection attempts from Office apps into other processes.

攻击者可能会尝试使用 Office 应用通过代码注入将恶意代码迁移到其他进程中,因此代码可以化名为干净流程。Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.

使用代码注入没有任何已知的合法业务用途。There are no known legitimate business purposes for using code injection.

此规则适用于 Word、Excel 和 PowerPoint。This rule applies to Word, Excel, and PowerPoint.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Office apps injecting code into other processes (no exceptions)

Configuration Manager 名称:Configuration Manager name: Block Office applications from injecting code into other processes

GUID:GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

阻止 Office 通信应用程序创建子进程Block Office communication application from creating child processes

此规则阻止 Outlook 创建子进程,同时仍允许合法的 Outlook 函数。This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.

此规则可防止社交工程攻击,并防止利用代码滥用 Outlook 中的漏洞。This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. 它还可防范攻击者在用户凭据遭到泄露时可以使用的 Outlook 规则和表单攻击。It also protects against Outlook rules and forms exploits that attackers can use when a user's credentials are compromised.

备注

此规则仅适用于 Outlook 和 Outlook.com。This rule applies to Outlook and Outlook.com only.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Process creation from Office communication products (beta)

Configuration Manager 名称:不可用Configuration Manager name: Not available

GUID:GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869

通过 WMI 事件订阅阻止持久性Block persistence through WMI event subscription

此规则可防止恶意软件滥用 WMI 以在设备上获得持久性。This rule prevents malware from abusing WMI to attain persistence on a device.

重要

文件和文件夹排除不适用于此攻击面减少规则。File and folder exclusions don't apply to this attack surface reduction rule.

无文件威胁采用各种策略来隐藏、避免在文件系统中出现以及获得定期执行控制。Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. 某些威胁可能会滥用 WMI 存储库和事件模型来隐藏。Some threats can abuse the WMI repository and event model to stay hidden.

此规则在:This rule was introduced in:

Intune 名称:不可用Intune name: Not available

Configuration Manager 名称:不可用Configuration Manager name: Not available

GUID:GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b

阻止源自 PSExec 和 WMI 命令的进程创建Block process creations originating from PSExec and WMI commands

此规则阻止通过 PsExecWMI 创建的进程运行。This rule blocks processes created through PsExec and WMI from running. PsExec 和 WMI 都可以远程执行代码,因此存在恶意软件滥用此功能以用于命令和控制目的,或在整个组织网络中传播感染的风险。Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.

警告

仅在使用 Intune 或其他 MDM 解决方案管理设备时使用此规则。Only use this rule if you're managing your devices with Intune or another MDM solution. 此规则与通过 Microsoft Endpoint Configuration Manager 管理不兼容,因为此规则会阻止 Configuration Manager 客户端用于正常运行的 WMI 命令。This rule is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Process creation from PSExec and WMI commands

Configuration Manager 名称:不适用Configuration Manager name: Not applicable

GUID:GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c

阻止从 USB 运行的不受信任的和未签名的进程Block untrusted and unsigned processes that run from USB

通过此规则,管理员可以阻止未签名或不受信任的可执行文件从 USB 可移动驱动器(包括 SD 卡)运行。With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. 阻止的文件类型包括可执行 (文件,如 .exe、.dll 或 .scr) Blocked file types include executable files (such as .exe, .dll, or .scr)

此规则在:This rule was introduced in:

Intune 名称:Intune name: Untrusted and unsigned processes that run from USB

Configuration Manager 名称:Configuration Manager name: Block untrusted and unsigned processes that run from USB

GUID:GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

阻止从 Office 宏调用 Win32 APIBlock Win32 API calls from Office macros

此规则阻止 VBA 宏调用 Win32 API。This rule prevents VBA macros from calling Win32 APIs.

Office VBA 支持 Win32 API 调用。Office VBA enables Win32 API calls. 恶意软件可能会滥用此功能,例如调用 Win32 API 以启动恶意 shellcode, 而无需将任何内容直接写入磁盘。Malware can abuse this capability, such as calling Win32 APIs to launch malicious shellcode without writing anything directly to disk. 大多数组织不依赖于在日常运行中调用 Win32 API 的功能,即使它们以其他方式使用宏。Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Win32 imports from Office macro code

Configuration Manager 名称:Configuration Manager name: Block Win32 API calls from Office macros

GUID:GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

对勒索软件使用高级保护Use advanced protection against ransomware

此规则提供了针对勒索软件的额外保护层。This rule provides an extra layer of protection against ransomware. 它会扫描进入系统的可执行文件,以确定它们是否可信。It scans executable files entering the system to determine whether they're trustworthy. 如果文件与勒索软件非常类似,则此规则会阻止它们运行,除非它们位于受信任的列表或排除列表中。If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.

备注

必须 启用云保护才能 使用此规则。You must enable cloud-delivered protection to use this rule.

此规则在:This rule was introduced in:

Intune 名称:Intune name: Advanced ransomware protection

Configuration Manager 名称:Configuration Manager name: Use advanced protection against ransomware

GUID:GUID: c1db55ab-c21a-4637-bb3f-a12568109d35

另请参阅See also