Microsoft Defender AV must be configured block Office applications from creating child processes.

An XCCDF Rule

Details
Profiles

Description

Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.

ID: SV-213457r823083_rule
Version: WNDF-AV-000033
Severity: Medium
References: CCI-001170
Updated: 5 days ago

Remediation Templates

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Windows Defender Exploit Guard >> Attack Surface Reduction >> "Configure Attack Surface Reduction rules" to "Enabled". 

Click "Show...". Set the Value name to "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" and the Value to "1".

Microsoft Defender AV must be configured block Office applications from creating child processes.

Description

Remediation Templates

A Manual Procedure