ChuckFrey/RansomwareExtensions.txt

## RansomwareExtensions.txt
You can create a GPO to test changing the default behavior of the following extensions to not behave as a script
but rather as a benign text file opened in notepad.

js
wsh
vbs
wsc
sct
jse
wsf
shs
shb
hta
vbe
cmd
bat
cab
appx

# Others worth thinking of excluding if not needed for normal users.
## chm (Windows help files)
## iso
## ps1


The steps to do so are as follows in the Group Policy Management Console.

1. Switch to the GPO editing mode. In the GPO editor, go to the section
User Configuration -> Preferences -> Control Panel Settings -> Folder Options.

2. Create a new parameter New -> Open With.

3. Fill the fields as follows:
    Action: Update
    File Extension: doc
    Associated Program: %windir%\system32\notepad.exe (or whichever appropriate)
    Set as default: check the option

4. The finished product should look similar to https://i.ibb.co/pLDnh6p/7f77df907a53309ca5d30387989ff143-ransomware-GPO.png.

It is important to test and roll this out slowly so as to not impact your production
environment.

Side note: If you need to allow certain scripts to execute in your environment I would suggest that they be monitored while making non-RFC1918 connections and/or baselining accordingly.

But wait, there is more BONUS material: Leverage ASR to block some of these extensions in web/mail clients see https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-content-from-email-client-and-webmail for more.
	You can create a GPO to test changing the default behavior of the following extensions to not behave as a script
	but rather as a benign text file opened in notepad.

	js
	wsh
	vbs
	wsc
	sct
	jse
	wsf
	shs
	shb
	hta
	vbe
	cmd
	bat
	cab
	appx

	# Others worth thinking of excluding if not needed for normal users.
	## chm (Windows help files)
	## iso
	## ps1


	The steps to do so are as follows in the Group Policy Management Console.

	1. Switch to the GPO editing mode. In the GPO editor, go to the section
	User Configuration -> Preferences -> Control Panel Settings -> Folder Options.

	2. Create a new parameter New -> Open With.

	3. Fill the fields as follows:
	Action: Update
	File Extension: doc
	Associated Program: %windir%\system32\notepad.exe (or whichever appropriate)
	Set as default: check the option

	4. The finished product should look similar to https://i.ibb.co/pLDnh6p/7f77df907a53309ca5d30387989ff143-ransomware-GPO.png.

	It is important to test and roll this out slowly so as to not impact your production
	environment.

	Side note: If you need to allow certain scripts to execute in your environment I would suggest that they be monitored while making non-RFC1918 connections and/or baselining accordingly.

	But wait, there is more BONUS material: Leverage ASR to block some of these extensions in web/mail clients see https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-content-from-email-client-and-webmail for more.