Bypass Windows Defender Attack Surface Reduction

A redteam oriented study of Windows Defender Exploit Guard Attack Surface Reduction. Analysis of several rules, what triggers them and how to bypass.

Article published on 24 February 2019

by Emeric Nasi


License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I Introduction

The last years, I have been doing some research around Windows security. I liked exploring
APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am
naturally interested into new security features such as ASR.
Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard.
ASR is composed of a set of configurable rules such as: "Block Office applications from creating child
process". While these rules seem effective against common Office and scripts malwares, there are
ways to bypass all of them. We will go over multiple rules, mainly related to malicious Office or VB
scripts behavior, analyze how It work behind the scene and find a way to bypass it.

If you wish to read more about this, the document can be downloaded in a PDF format