1/This simple powershell command blocks ongoing OneNote attacks! (Microsoft Defender) Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled ๐Ÿงต #CyberSecurity #phishing #OneNote #malware #ASR

2/Block all Office applications from creating child processes Defender attack surface reduction is not only bad (like deleting LNKs ๐Ÿ˜œ) It really can safe a company from being ransomwared! Can be deployed via GPO/InTune pretty easy.

3/This rule not only prevents from OneNote attacks, it also prevents you from a bunch of other attacks too (e.g. Follina )! Make sure to get notified about all blocked events by this ASR rule Microsoft-Windows-Windows Defender/Operational, EventID: 1121 #ThreatHunting

4/There is another ASR rule which would also block OneNote attacks partially Block Office applications from creating executable content Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enable #ASR

5/You can also set them to only "Audit Mode" change "Enable" to "AuditMode" in the above commands. This still creates the eventlogs to hunt for but will not break/block anything! Hunt for: Microsoft-Windows-Windows Defender/Operational, EventID: 1122 #ThreatHunting

Follow us on Twitter

to be informed of the latest developments and updates!

You can easily use to @tivitikothread bot for create more readable thread!
Donate ๐Ÿ’ฒ

You can keep this app free of charge by supporting ๐Ÿ˜Š

for server charges...