Details

This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.

Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.

Solution

Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> ‘Configure Attack Surface Reduction rules’ to ‘Enabled’. Click ‘Show…’. Set the Value name to ‘3B576869-A4EC-4529-8536-B80A7769E899’ and the Value to ‘1’.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Defender_Antivirus_V2R3_STIG.ziphttps://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Defender_Antivirus_V2R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.

References

• 800-53|SC-18(4)
• CAT|II
• CCI|CCI-001170
• Rule-ID|SV-213458r569189_rule
• STIG-ID|WNDF-AV-000034
• STIG-Legacy|SV-92665
• STIG-Legacy|V-77969
• Vuln-ID|V-213458

Source

• Tenable.com/audits