ChuckFrey · October 21, 2024 08:53
diff --git a/RansomwareExtensions.txt b/RansomwareExtensions.txt
 You can create a GPO to test changing the default behavior of the following extensions to not behave as a script 
 but rather as a benign text file opened in notepad.

 js
 wsh
 vbs
 wsc
 sct
 jse
 wsf
 shs
 shb
 hta
 vbe
 cmd
 bat
 cab
 appx

 # Others worth thinking of excluding if not needed for normal users.
 ## chm (Windows help files)
 ## iso
 ## ps1


 The steps to do so are as follows in the Group Policy Management Console.

 1. Switch to the GPO editing mode. In the GPO editor, go to the section 
 User Configuration -> Preferences -> Control Panel Settings -> Folder Options.

 2. Create a new parameter New -> Open With.

 3. Fill the fields as follows:
    Action: Update
    File Extension: doc
    Associated Program: %windir%\system32\notepad.exe (or whichever appropriate)
    Set as default: check the option

 4. The finished product should look similar to https://i.ibb.co/pLDnh6p/7f77df907a53309ca5d30387989ff143-ransomware-GPO.png. 
  
 It is important to test and roll this out slowly so as to not impact your production 
 environment.

 Side note: If you need to allow certain scripts to execute in your environment I would suggest that they be monitored while making non-RFC1918 connections and/or baselining accordingly.

 But wait, there is more BONUS material: Leverage ASR to block some of these extensions in web/mail clients see https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-content-from-email-client-and-webmail for more.
	You can create a GPO to test changing the default behavior of the following extensions to not behave as a script
	but rather as a benign text file opened in notepad.

	js
	wsh
	vbs
	wsc
	sct
	jse
	wsf
	shs
	shb
	hta
	vbe
	cmd
	bat
	cab
	appx

	# Others worth thinking of excluding if not needed for normal users.
	## chm (Windows help files)
	## iso
	## ps1


	The steps to do so are as follows in the Group Policy Management Console.

	1. Switch to the GPO editing mode. In the GPO editor, go to the section
	User Configuration -> Preferences -> Control Panel Settings -> Folder Options.

	2. Create a new parameter New -> Open With.

	3. Fill the fields as follows:
	Action: Update
	File Extension: doc
	Associated Program: %windir%\system32\notepad.exe (or whichever appropriate)
	Set as default: check the option

	4. The finished product should look similar to https://i.ibb.co/pLDnh6p/7f77df907a53309ca5d30387989ff143-ransomware-GPO.png.

	It is important to test and roll this out slowly so as to not impact your production
	environment.

	Side note: If you need to allow certain scripts to execute in your environment I would suggest that they be monitored while making non-RFC1918 connections and/or baselining accordingly.

	But wait, there is more BONUS material: Leverage ASR to block some of these extensions in web/mail clients see https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-content-from-email-client-and-webmail for more.