Microsoft Security Operations Analyst Associate SC-200 Practice Question
You manage Windows 11 devices that are onboarded to Microsoft Defender for Endpoint. A recent incident analysis shows that ransomware entered your environment through malicious Office macros that invoked low-level Win32 APIs to inject code into legitimate processes. You need to configure an attack surface reduction (ASR) rule in an Endpoint security policy to block this technique while allowing benign macros that do not use these APIs to run. Which ASR rule should you enable and set to Block?
Block Win32 API calls from Office macro (GUID: 92E97FA1-2EDF-4476-BDD6-9B05EDC1FAC)
Block executable content from email client and webmail (GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550)
Block Office applications from creating child processes (GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A)
Block Office applications from injecting code into other processes (GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84)
The ASR rule named "Block Win32 API calls from Office macro" specifically targets macros that attempt to use Win32 API functions for actions such as process injection, token manipulation, or other advanced techniques often leveraged by malware and ransomware. Enabling this rule in Block mode prevents the malicious behavior without disabling all macros.
The other options protect against different attack techniques:
"Block Office applications from creating child processes" stops Office apps from spawning additional executables but does not address direct Win32 API usage inside a macro.
"Block Office applications from injecting code into other processes" prevents Office apps themselves from performing code injection, not macros using APIs within the Office process.
"Block executable content from email client and webmail" focuses on attachments and webmail downloads, not in-process API calls from macros. Therefore, enabling the rule that blocks Win32 API calls from Office macros is the correct configuration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Attack Surface Reduction (ASR) rule in Microsoft Defender for Endpoint?
Open an interactive chat with Bash
What are Win32 API calls, and why are they a target for malware?
Open an interactive chat with Bash
How does the 'Block Win32 API calls from Office macro' ASR rule differentiate between malicious and benign macros?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Configure protections and detections
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .