From dd76b5a9bd5a5ae74e0c5115106b11b1a704307d Mon Sep 17 00:00:00 2001 From: mick Date: Tue, 13 Dec 2022 12:44:57 +0100 Subject: [PATCH] Add items to detect Defender settings configured by Intune --- lists/finding_list_0x6d69636b_machine.csv | 28 +++++++++++++++++++---- lists/finding_list_translation.csv | 28 +++++++++++++++++++---- 2 files changed, 48 insertions(+), 8 deletions(-) diff --git a/lists/finding_list_0x6d69636b_machine.csv b/lists/finding_list_0x6d69636b_machine.csv index 6fe0794..1dd61da 100644 --- a/lists/finding_list_0x6d69636b_machine.csv +++ b/lists/finding_list_0x6d69636b_machine.csv @@ -195,47 +195,67 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1800,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 1801,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium 1806,"Microsoft Defender Antivirus","Exclusions: Extension Exclusions (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions",Exclusions_Extensions,,,,,,=,Medium -1807,"Microsoft Defender Antivirus","Exclusions: List Extension Exclusions",MpPreferenceExclusion,ExclusionExtension,,,,,,,,=,Medium +1813,"Microsoft Defender Antivirus","Exclusions: Extension Exclusions (Intune)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager",ExcludedExtensions,,,,,,=,Medium +1807,"Microsoft Defender Antivirus","Exclusions: Extension Exclusions",MpPreferenceExclusion,ExclusionExtension,,,,,,,,=,Medium 1808,"Microsoft Defender Antivirus","Exclusions: Path Exclusions (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions",Exclusions_Paths,,,,,,=,Medium -1809,"Microsoft Defender Antivirus","Exclusions: List Path Exclusions",MpPreferenceExclusion,ExclusionPath,,,,,,,,=,Medium +1814,"Microsoft Defender Antivirus","Exclusions: Path Exclusions (Intune)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager",ExcludedPaths,,,,,,=,Medium +1809,"Microsoft Defender Antivirus","Exclusions: Path Exclusions",MpPreferenceExclusion,ExclusionPath,,,,,,,,=,Medium 1810,"Microsoft Defender Antivirus","Exclusions: Process Exclusions (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions",Exclusions_Processes,,,,,,=,Medium -1811,"Microsoft Defender Antivirus","Exclusions: List Process Exclusions",MpPreferenceExclusion,ExclusionProcess,,,,,,,,=,Medium +1815,"Microsoft Defender Antivirus","Exclusions: Process Exclusions (Intune)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager",ExcludedProcesses,,,,,,=,Medium +1811,"Microsoft Defender Antivirus","Exclusions: Process Exclusions",MpPreferenceExclusion,ExclusionProcess,,,,,,,,=,Medium 1812,"Microsoft Defender Antivirus","Enable sandboxing for Microsoft Defender Antivirus",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment",MP_FORCE_USE_SANDBOX,,,,0,1,=,Medium 1900,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 1901,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 1916,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +1933,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Intune)",Registry,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1902,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 1917,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +1934,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Intune)",Registry,d4f940ab-401b-4efc-aadc-ad5f3c50688a,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1903,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 1918,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +1935,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Intune)",Registry,3b576869-a4ec-4529-8536-b80a7769e899,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1904,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium 1919,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +1936,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Intune)",Registry,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1905,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 1920,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +1937,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Intune)",Registry,d3e037e1-3eb8-44c8-a917-57927947596d,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1906,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 1921,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +1938,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Intune)",Registry,5beb7efe-fd9a-4556-801d-275e5ffc04cc,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1907,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium 1922,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +1939,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Intune)",Registry,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1908,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,1,=,Medium 1923,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,1,=,Medium +1940,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Intune)",Registry,01443614-cd74-433a-b99e-2ecdc07bfc25,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1909,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium 1924,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium +1941,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Intune)",Registry,c1db55ab-c21a-4637-bb3f-a12568109d35,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1910,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 1925,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +1942,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Intune)",Registry,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1911,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,0,1,=,Medium 1926,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,1,=,Medium +1943,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands (Intune)",Registry,d1e49aac-8f56-4280-b9ba-993a6d77406c,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1912,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 1927,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +1944,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Intune)",Registry,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1913,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium 1928,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +1945,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Intune)",Registry,26190899-1602-49e8-8b27-eb1d0a1ce869,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1914,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 1929,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +1946,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Intune)",Registry,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1915,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium 1930,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium +1947,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Intune)",Registry,e6db77e5-3df2-4cf1-b95a-636979351e5b,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1931,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",56a863a9-875e-4185-98a7-b882c64b5ce5,,,,0,1,=,Medium 1932,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers",MpPreferenceAsr,56a863a9-875e-4185-98a7-b882c64b5ce5,,,,,,0,1,=,Medium +1948,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers (Intune)",Registry,56a863a9-875e-4185-98a7-b882c64b5ce5,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1966,"Microsoft Defender Exploit Guard","ASR: Exclude files and paths from Attack Surface Reduction Rules (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_ASROnlyExclusions,,,,,,=,Medium -1967,"Microsoft Defender Exploit Guard","ASR: List of excluded files and paths from Attack Surface Reduction Rules",MpPreferenceExclusion,AttackSurfaceReductionOnlyExclusions,,,,,,,,=,Medium +1967,"Microsoft Defender Exploit Guard","ASR: Exclude files and paths from Attack Surface Reduction Rules",MpPreferenceExclusion,AttackSurfaceReductionOnlyExclusions,,,,,,,,=,Medium +1968,"Microsoft Defender Exploit Guard","ASR: Exclude files and paths from Attack Surface Reduction Rules (Intune)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASROnlyExclusions,,,,,,=,Medium 1965,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 1980,"Microsoft Defender Application Guard","Support for Microsoft Defender Application Guard",WindowsOptionalFeature,Windows-Defender-ApplicationGuard,,,,,,Disabled,Enabled,=,Medium 1981,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowAppHVSI_ProviderSet,,,,,3,=,Medium diff --git a/lists/finding_list_translation.csv b/lists/finding_list_translation.csv index 8a88341..bea7e54 100644 --- a/lists/finding_list_translation.csv +++ b/lists/finding_list_translation.csv @@ -614,11 +614,14 @@ Id,CategoryEN,NameEN,Language,Category,Name 212,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",DE,"Microsoft Defender Antivirus","Konfigurieren der Erkennung für potenziell unerwünschte Anwendungen" 215,"Microsoft Defender Antivirus","Controlled folder access",,, 1642,"Microsoft Defender Antivirus","Enable sandboxing for Microsoft Defender Antivirus",,, +1542,"Microsoft Defender Antivirus","Exclusions: Extension Exclusions",,, +1734,"Microsoft Defender Antivirus","Exclusions: Extension Exclusions (Intune)",,, 1539,"Microsoft Defender Antivirus","Exclusions: Extension Exclusions (Policy)",,, -1542,"Microsoft Defender Antivirus","Exclusions: List Extension Exclusions",,, -1543,"Microsoft Defender Antivirus","Exclusions: List Path Exclusions",,, -1544,"Microsoft Defender Antivirus","Exclusions: List Process Exclusions",,, +1543,"Microsoft Defender Antivirus","Exclusions: Path Exclusions",,, +1735,"Microsoft Defender Antivirus","Exclusions: Path Exclusions (Intune)",,, 1540,"Microsoft Defender Antivirus","Exclusions: Path Exclusions (Policy)",,, +1544,"Microsoft Defender Antivirus","Exclusions: Process Exclusions",,, +1736,"Microsoft Defender Antivirus","Exclusions: Process Exclusions (Intune)",,, 1541,"Microsoft Defender Antivirus","Exclusions: Process Exclusions (Policy)",,, 1525,"Microsoft Defender Antivirus","Exclusions: Turn off Auto Exclusions",,, 675,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",DE,"Microsoft Defender Antivirus","Konfigurieren der Außerkraftsetzung von lokalen Einstellungen für Berichte an Microsoft MAPS" @@ -654,38 +657,55 @@ Id,CategoryEN,NameEN,Language,Category,Name 1306,"Microsoft Defender Application Guard","Support for Microsoft Defender Application Guard",,, 690,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",,, 245,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",DE,"Microsoft Defender Exploit Guard","ASR: Adobe Reader am Erstellen von untergeordneten Prozessen hindern" +1730,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Intune)",,, 244,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: Adobe Reader am Erstellen von untergeordneten Prozessen hindern (Richtlinie)" 227,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",DE,"Microsoft Defender Exploit Guard","ASR: JavaScript und VBScript am Starten heruntergeladener ausführbarer Inhalte hindern" +1721,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Intune)",,, 226,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: JavaScript und VBScript am Starten heruntergeladener ausführbarer Inhalte hindern (Richtlinie)" 223,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",DE,"Microsoft Defender Exploit Guard","ASR: Office-Anwendungen am Erstellen ausführbarer Inhalte hindern" +1719,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Intune)",,, 222,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: Office-Anwendungen am Erstellen ausführbarer Inhalte hindern (Richtlinie)" 225,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",DE,"Microsoft Defender Exploit Guard","ASR: Office-Anwendungen am Einfügen von Code in untergeordnete Prozesse hindern" +1720,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Intune)",,, 224,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: Office-Anwendungen am Einfügen von Code in untergeordnete Prozesse hindern (Richtlinie)" 243,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",DE,"Microsoft Defender Exploit Guard","ASR: Office-Kommunikationsanwendung am Erstellen von untergeordneten Prozessen hindern" +1729,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Intune)",,, 242,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: Office-Kommunikationsanwendung am Erstellen von untergeordneten Prozessen hindern (Richtlinie)" 231,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",DE,"Microsoft Defender Exploit Guard","ASR: Win32-API-Aufrufe von Office-Makros blockieren" +1723,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Intune)",,, 230,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: Win32-API-Aufrufe von Office-Makros blockieren (Richtlinie)" 1641,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers",,, +1733,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers (Intune)",,, 1640,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers (Policy)",,, 221,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",DE,"Microsoft Defender Exploit Guard","ASR: Alle Office-Anwendungen am Erstellen von untergeordneten Prozessen hindern" +1718,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Intune)",,, 220,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: Alle Office-Anwendungen am Erstellen von untergeordneten Prozessen hindern (Richtlinie)" 237,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",DE,"Microsoft Defender Exploit Guard","ASR: Diebstahl von Anmeldeinformationen aus dem Subsystem für die lokale Sicherheitsautorität (lsass.exe) blockieren" +1726,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Intune)",,, 236,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: Diebstahl von Anmeldeinformationen aus dem Subsystem für die lokale Sicherheitsautorität (lsass.exe) blockieren (Richtlinie)" 219,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",DE,"Microsoft Defender Exploit Guard","ASR: Ausführbare Inhalte aus E-Mail-Client und Web-E-Mail blockieren" +1717,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Intune)",,, 218,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: Ausführbare Inhalte aus E-Mail-Client und Web-E-Mail blockieren (Richtlinie)" 233,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",,, +1724,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Intune)",,, 232,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",,, 229,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",DE,"Microsoft Defender Exploit Guard","ASR: Ausführung potenziell verborgener Skripts blockieren" +1722,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Intune)",,, 228,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: Ausführung potenziell verborgener Skripts blockieren (Richtlinie)" 247,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",,, +1731,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Intune)",,, 246,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",,, 239,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",,, +1727,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands (Intune)",,, 238,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands (Policy)",,, 241,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",DE,"Microsoft Defender Exploit Guard","ASR: Nicht vertrauenswürdige und nicht signierte Prozess, die von USB ausgeführt werden, blockieren" +1728,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Intune)",,, 240,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",DE,"Microsoft Defender Exploit Guard","ASR: Nicht vertrauenswürdige und nicht signierte Prozess, die von USB ausgeführt werden, blockieren (Richtlinie)" +1546,"Microsoft Defender Exploit Guard","ASR: Exclude files and paths from Attack Surface Reduction Rules",,, +1732,"Microsoft Defender Exploit Guard","ASR: Exclude files and paths from Attack Surface Reduction Rules (Intune)",,, 1545,"Microsoft Defender Exploit Guard","ASR: Exclude files and paths from Attack Surface Reduction Rules (Policy)",,, -1546,"Microsoft Defender Exploit Guard","ASR: List of excluded files and paths from Attack Surface Reduction Rules",,, 235,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",,, +1725,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Intune)",,, 234,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",,, 217,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",DE,"Microsoft Defender Exploit Guard","Regeln zur Verringerung der Angriffsfläche konfigurieren" 1362,"Microsoft Defender Exploit Guard","Exploit protection: Child Process: Override Child Process (GROOVE.EXE)",,,