You are here : Home » Learning security » Operating Systems » Windows » Bypass Windows Defender Attack Surface Reduction

Bypass Windows Defender Attack Surface Reduction

D 24 February 2019     H 21:09     A Emeric Nasi     C 1 messages


agrandir


License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I Introduction

The last years, I have been doing some research around Windows security. I liked exploring
APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am
naturally interested into new security features such as ASR.
Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard.
ASR is composed of a set of configurable rules such as: "Block Office applications from creating child
process". While these rules seem effective against common Office and scripts malwares, there are
ways to bypass all of them. We will go over multiple rules, mainly related to malicious Office or VB
scripts behavior, analyze how It work behind the scene and find a way to bypass it.

If you wish to read more about this, the document can be downloaded in a PDF format

PDF - 937.5 kb

1 Forum posts

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post