Bypass Windows Defender Attack Surface Reduction
24 February 2019 21:09 1 messages
License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
I Introduction
The last years, I have been doing some research around Windows security. I liked exploring
APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am
naturally interested into new security features such as ASR.
Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard.
ASR is composed of a set of configurable rules such as: "Block Office applications from creating child
process". While these rules seem effective against common Office and scripts malwares, there are
ways to bypass all of them. We will go over multiple rules, mainly related to malicious Office or VB
scripts behavior, analyze how It work behind the scene and find a way to bypass it.
If you wish to read more about this, the document can be downloaded in a PDF format
Also in this section
2 February 2022 – MSDT DLL Hijack UAC bypass
15 July 2021 – Hide HTA window for RedTeam
23 January 2019 – Yet another sdclt UAC bypass
23 June 2018 – Advanced USB key phishing
7 February 2018 – Hacking around HTA files
1 Forum posts
Would you be willing to point me in the direction of some resources on registering rogue COM objects? I tried the code from your paper but always get an error saying the CLSID is not registered.