You are here : Home » Learning security » Operating Systems » Windows » Bypass Windows Defender Attack Surface Reduction

Bypass Windows Defender Attack Surface Reduction

D 24 February 2019     H 21:09     A Emeric Nasi     C 1 messages


License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I Introduction

The last years, I have been doing some research around Windows security. I liked exploring
APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am
naturally interested into new security features such as ASR.
Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard.
ASR is composed of a set of configurable rules such as: "Block Office applications from creating child
process". While these rules seem effective against common Office and scripts malwares, there are
ways to bypass all of them. We will go over multiple rules, mainly related to malicious Office or VB
scripts behavior, analyze how It work behind the scene and find a way to bypass it.

If you wish to read more about this, the document can be downloaded in a PDF format

PDF - 937.5 kb

Also in this section

2 February 2022 – MSDT DLL Hijack UAC bypass

15 July 2021 – Hide HTA window for RedTeam

23 January 2019 – Yet another sdclt UAC bypass

23 June 2018 – Advanced USB key phishing

7 February 2018 – Hacking around HTA files

1 Forum posts

Any message or comments?

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post