查看攻击面减少事件View attack surface reduction events

重要

改进的 Microsoft 365 安全 中心现已提供公共预览版。The improved Microsoft 365 security center is now available in public preview. 这一全新体验将 Defender for Endpoint、Defender for Office 365、Microsoft 365 Defender 等引入 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new. 本主题可能同时适用于 Microsoft Defender for Endpoint 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. 请参阅 "适用于"部分 ,并查找本文中可能存在差异的特定调用。Refer to the Applies To section and look for specific call outs in this article where there might be differences.

适用于:Applies to:

查看事件查看器中的攻击面减少事件,以监视哪些规则或设置正在工作。Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. 您还可以确定任何设置是否过于"干扰"或影响您的日常工作流。You can also determine if any settings are too "noisy" or impacting your day to day workflow.

在评估功能时,查看事件很方便。Reviewing events is handy when you're evaluating the features. 你可以为功能或设置启用审核模式,然后查看如果功能或设置完全启用,将发生的情况。You can enable audit mode for features or settings, and then review what would have happened if they were fully enabled.

本文列出了所有事件及其关联的功能或设置,并介绍如何创建自定义视图以筛选到特定事件。This article lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.

获取事件的详细报告,并阻止作为 Windows 安全性的一部分(如果你有 E5 订阅并使用Microsoft Defender for Endpoint)。Get detailed reporting into events and blocks as part of Windows Security if you have an E5 subscription and use Microsoft Defender for Endpoint.

使用自定义视图查看攻击面减少功能Use custom views to review attack surface reduction capabilities

在 Windows 事件查看器中创建自定义视图,以仅查看特定功能和设置的事件。Create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. 最简单的方法是将自定义视图导入为 XML 文件。The easiest way is to import a custom view as an XML file. 可以直接从此页面复制 XML。You can copy the XML directly from this page.

还可以手动导航到与功能对应的事件区域。You can also manually navigate to the event area that corresponds to the feature.

导入现有的 XML 自定义视图Import an existing XML custom view

  1. 创建一个空 .txt 文件,将想要使用的自定义视图的 XML 复制到 .txt 文件中。Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. 为您想要使用的每个自定义视图执行此操作。Do this for each of the custom views you want to use. 按如下所示重命名文件 (确保将类型从 .txt 更改为 .xml) :Rename the files as follows (ensure you change the type from .txt to .xml):

    • 受控文件夹访问权限事件自定义视图:cfa-events.xmlControlled folder access events custom view: cfa-events.xml
    • Exploit Protection 事件自定义视图:ep-events.xmlExploit protection events custom view: ep-events.xml
    • 攻击面减少事件自定义视图:asr-events.xmlAttack surface reduction events custom view: asr-events.xml
    • 网络/保护事件自定义视图 * :np-events.xml*Network/ protection events custom view: np-events.xml
  2. "开始 "菜单中键入事件查看器并打开 事件查看器Type event viewer in the Start menu and open Event Viewer.

  3. 选择操作 > 导入自定义视图...Select Action > Import Custom View...

    在事件查看器窗口左侧突出显示导入自定义视图的动画

  4. 导航到你提取的 XML 文件的位置以查找你需要的自定义视图并选择它。Navigate to where you extracted XML file for the custom view you want and select it.

  5. 选择 "打开"。Select Open.

  6. 它将创建一个自定义视图,该视图筛选为只显示与该功能相关的事件。It will create a custom view that filters to only show the events related to that feature.

直接复制 XMLCopy the XML directly

  1. 在“开始”菜单中键入事件查看器,并打开 Windows 事件查看器Type event viewer in the Start menu and open the Windows Event Viewer.

  2. 在左侧面板 的"操作"下, 选择"创建自定义视图...On the left panel, under Actions, select Create Custom View...

    在事件查看器窗口突出显示创建自定义视图选项的动画

  3. 转到 XML 选项卡,然后选择 "手动编辑查询"。Go to the XML tab and select Edit query manually. 如果使用的是 XML 选项,则会看到一条警告,提示你无法**** 使用"筛选器"选项卡编辑查询。You'll see a warning that you can't edit the query using the Filter tab if you use the XML option. 选择 "是"。Select Yes.

  4. 将你要从中筛选事件的功能的 XML 代码粘贴到 XML 部分。Paste the XML code for the feature you want to filter events from into the XML section.

  5. 选择“确定”****。Select OK. 为筛选器指定一个名称。Specify a name for your filter.

  6. 它将创建一个自定义视图,该视图筛选为只显示与该功能相关的事件。It will create a custom view that filters to only show the events related to that feature.

攻击面减少规则事件的 XMLXML for attack surface reduction rule events

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
   <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
   <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
  </Query>
</QueryList>

受控文件夹访问事件的 XMLXML for controlled folder access events

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
   <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
   <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
  </Query>
</QueryList>

Exploit Protection 事件的 XMLXML for exploit protection events

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Security-Mitigations/KernelMode">
   <Select Path="Microsoft-Windows-Security-Mitigations/KernelMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
   <Select Path="Microsoft-Windows-Win32k/Concurrency">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
   <Select Path="Microsoft-Windows-Win32k/Contention">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
   <Select Path="Microsoft-Windows-Win32k/Messages">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
   <Select Path="Microsoft-Windows-Win32k/Operational">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
   <Select Path="Microsoft-Windows-Win32k/Power">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
   <Select Path="Microsoft-Windows-Win32k/Render">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
   <Select Path="Microsoft-Windows-Win32k/Tracing">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
   <Select Path="Microsoft-Windows-Win32k/UIPI">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
   <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
   <Select Path="Microsoft-Windows-Security-Mitigations/UserMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
  </Query>
</QueryList>

网络保护事件的 XMLXML for network protection events

<QueryList>
 <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
  <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
  <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
 </Query>
</QueryList>

攻击面减少事件列表List of attack surface reduction events

所有攻击面减少事件都位于 Microsoft > Windows >应用程序和服务日志下,然后位于下表中列出的文件夹或提供程序下。All attack surface reduction events are located under Applications and Services Logs > Microsoft > Windows and then the folder or provider as listed in the following table.

你可以在 Windows 事件查看器中获取这些事件:You can access these events in Windows Event viewer:

  1. 打开 "开始 "菜单并 键入事件查看器,然后选择 事件查看器 结果。Open the Start menu and type event viewer, and then select the Event Viewer result.

  2. 展开应用程序和服务日志 > Microsoft > Windows,然后转到下表中的提供程序/源下列出的文件夹。Expand Applications and Services Logs > Microsoft > Windows and then go to the folder listed under Provider/source in the table below.

  3. 双击该子项目以查看事件。Double-click on the sub item to see events. 滚动浏览事件以查找你正在查找的事件。Scroll through the events to find the one you're looking.

    显示使用事件查看器的动画

功能Feature 提供程序/源Provider/source 事件 IDEvent ID 描述Description
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 11 ACG 审核ACG audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 22 ACG 强制ACG enforce
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 33 不允许子进程审核Do not allow child processes audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 44 不允许子进程阻止Do not allow child processes block
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 55 阻止低完整性图像审核Block low integrity images audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 66 阻止低完整性图像阻止Block low integrity images block
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 77 阻止远程图像审核Block remote images audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 88 阻止远程图像阻止Block remote images block
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 99 禁用 win32k 系统调用审核Disable win32k system calls audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 1010 禁用 win32k 系统调用阻止Disable win32k system calls block
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 1111 代码完整性防护审核Code integrity guard audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 1212 代码完整性防护阻止Code integrity guard block
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 1313 EAF 审核EAF audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 1414 EAF 强制EAF enforce
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 1515 EAF+ 审核EAF+ audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 1616 EAF+ 强制EAF+ enforce
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 1717 IAF 审核IAF audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 1818 IAF 强制IAF enforce
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 1919 ROP StackPivot 审核ROP StackPivot audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 2020 ROP StackPivot 强制ROP StackPivot enforce
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 2121 ROP CallerCheck 审核ROP CallerCheck audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 2222 ROP CallerCheck 强制ROP CallerCheck enforce
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 2323 ROP SimExec 审核ROP SimExec audit
Exploit ProtectionExploit protection Security-Mitigations (内核模式/用户模式) Security-Mitigations (Kernel Mode/User Mode) 2424 ROP SimExec 强制ROP SimExec enforce
Exploit ProtectionExploit protection WER-诊断WER-Diagnostics 55 CFG 阻止CFG Block
Exploit ProtectionExploit protection Win32K(操作)Win32K (Operational) 260260 不受信任的字体Untrusted Font
网络保护Network protection Windows Defender(操作)Windows Defender (Operational) 50075007 更改设置时的事件Event when settings are changed
网络保护Network protection Windows Defender(操作)Windows Defender (Operational) 11251125 当在审核模式中触发网络保护时的事件Event when Network protection fires in Audit-mode
网络保护Network protection Windows Defender(操作)Windows Defender (Operational) 11261126 当在阻止模式中触发网络保护时的事件Event when Network protection fires in Block-mode
受控文件夹访问权限Controlled folder access Windows Defender(操作)Windows Defender (Operational) 50075007 更改设置时的事件Event when settings are changed
受控文件夹访问权限Controlled folder access Windows Defender(操作)Windows Defender (Operational) 11241124 审核的受控文件夹访问权限事件Audited Controlled folder access event
受控文件夹访问权限Controlled folder access Windows Defender(操作)Windows Defender (Operational) 11231123 阻止的受控文件夹访问权限事件Blocked Controlled folder access event
受控文件夹访问权限Controlled folder access Windows Defender(操作)Windows Defender (Operational) 11271127 阻止受控文件夹访问扇区写入块事件Blocked Controlled folder access sector write block event
受控文件夹访问权限Controlled folder access Windows Defender(操作)Windows Defender (Operational) 11281128 已审核受控文件夹访问扇区写入块事件Audited Controlled folder access sector write block event
攻击面减少Attack surface reduction Windows Defender(操作)Windows Defender (Operational) 50075007 更改设置时的事件Event when settings are changed
攻击面减少Attack surface reduction Windows Defender(操作)Windows Defender (Operational) 11221122 在审核模式中触发规则时的事件Event when rule fires in Audit-mode
攻击面减少Attack surface reduction Windows Defender(操作)Windows Defender (Operational) 11211121 在阻止模式中触发规则时的事件Event when rule fires in Block-mode