A redteam oriented study of Windows Defender Exploit Guard Attack Surface Reduction. Analysis of several rules, what triggers them and how to bypass.
License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
I Introduction
The last years, I have been doing some research around Windows security. I liked exploring
APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am
naturally interested into new security features such as ASR.
Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard.
ASR is composed of a set of configurable rules such as: "Block Office applications from creating child
process". While these rules seem effective against common Office and scripts malwares, there are
ways to bypass all of them. We will go over multiple rules, mainly related to malicious Office or VB
scripts behavior, analyze how It work behind the scene and find a way to bypass it.
If you wish to read more about this, the document can be downloaded in a PDF format