Your company uses line-of-business apps that contain Microsoft Office VBA macros.
You need to prevent users from downloading and running additional payloads from the Office VBA macros as additional child processes.
Which two commands can you run to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
To prevent users from downloading and running additional payloads from Office VBA macros as additional child processes, you should enable the specific attack surface reduction (ASR) rule related to blocking Office applications from creating child processes. Both commands 'Add-MpPreference' and 'Set-MpPreference' can be used to achieve this, but each serves a different purpose. 'Add-MpPreference' adds a new rule without affecting existing rules, while 'Set-MpPreference' sets the rule and overwrites any existing rules. Therefore, the correct choices are: A. Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled and D. Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled. These commands prevent users from running additional payloads as child processes, aligning with the requirement to prevent, not just audit.
Should be A, D.
I echo, as the requirement is not for audit, but to prevent. So the answer should be A & D.
Agreed, link to reinforce https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#powershell
Agree, auditing doesnt prevent anything only monitors and reports
A,D. These are 2 complete solutions on their own. Not a step by step by step. 1) Add the rule and enable it. 2) Add the rule, set the rule to overwrite existing rules, and enable it. "Set-MpPreference will always overwrite the existing set of rules. If you want to add to the existing set, use Add-MpPreference instead." https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#powershell The command does not need to mention anything about block because the GUID references a Rule with already set actions. Configuration Manager name: Block Office application from creating child processes GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?source=recommendations&view=o365-worldwide#block-all-office-applications-from-creating-child-processes
agree @JohnAvlakiotis A,D... The question or task is to PREVENT. Audits do not accomplish this task.
I agree, A and D
I would say A&D as the question states "Each correct answer presents a complete solution.", so choosing one of the audit options would not be a complete solution on its own to prevent the action
Yes, normally we add a new audit policy with Add-MpPreference and change the policy to enabled with Set-MpPreference, but in this case, each correct answers presents a complete solution, A&D Right, cause Set can change and create policies too, and Add-MpPreference can only add new policies.
Please change the answer to A& D. as most voting counts are showing the correct answer is A & D options.
A and D are the only logical two: Must use Set-MpPreference with Enabled and then Add-MpPreference with Enabled. Audit does not block.
It is A & D. I am 100% sure.
According to MS content this should be A and D, because the company is trying to prevent, not checking first if it will work. Audit mode for evaluation Use audit mode to evaluate how attack surface reduction rules would affect your organization if enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without reducing productivity
Audit does not mean Blocking Question stands for "You need to prevent users from downloading and running additional payloads from the Office VBA macros as additional child processes." Auditing something you are not implementing anything to prevent, but to gain the knowledge to later on take the action you want to.
A&D https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#powershell
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled -- Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide
should be AD.
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules?view=o365-worldwide#scenario-2-asr-rule-blocks-the-test-file-with-the-corresponding-vulnerability Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshooting-mode-scenarios?view=o365-worldwide
correct me if I am wrong, but: first sentence is "Your company uses line-of-business apps that contain Microsoft Office VBA macros." that is mean you already have something and it should work, so you set to Audit only as an exclusion for this particular Macros you need to use, al others/new still gonna be blocked.. so the correct answer is B and C
It is A and D. B and C Place their respective commands in audit mode, which only generates logs and does not take any other action
A & D is correct answer
A and D is correct since we need to prevent users and not monitor them.
It is A and D but we cannot vote for it