Terms and Conditions for this security vulnerability disclosure blog:
Microsoft Defender XDR is a comprehensive cybersecurity solution designed by Microsoft to protect organisational networks and devices. At its core are the Attack Surface Reduction (ASR) rules, which are strategic security protocols aimed at minimising the vulnerabilities and pathways exploited by cyber threats. These rules act as a crucial line of defence, shielding endpoints from various attack vectors such as malicious documents, scripts, and other potentially harmful activities. However, despite their importance in fortifying cybersecurity defences, recent scrutiny has uncovered a critical vulnerability within these ASR rules. This vulnerability poses a significant risk as it allows adversaries to bypass established security measures without triggering alerts or raising suspicion, thereby compromising the effectiveness of Microsoft Defender XDR’s defence mechanisms.
Regrettably, a remedy for this issue is not yet available*. Consequently, recourse to Advanced Hunting queries armed with Custom detection rules becomes imperative to diligently monitor for any indicators of compromise, thereby mitigating potential risks.
Attack Surface Reduction (ASR) rules are configured on devices by means of a registry key. The contents of this key include the GUID for the specific ASR rule as well as the state of the rule (Block, Audit).
The registry key is not protected and can be modified without triggering any alerts, essentially bypassing ASR rules, which could result in negation of the protection.
Registry Key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ASR Rules
By following the steps below, ASR rules can be bypassed. The rule Block all Office applications from creating child processes will be tested.
Bypassing ASR rules:
Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Actions
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
ASR Rules
Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Actions
Testing the bypass:
Example: Mkdir “c:\tools\new folder”
Sub [your Macro name] ()
Dim str As String
Str = “cmd.exe /C [location of bat file] ”
shell str, vbMaximizedFocus
End Sub
Example shown here in screenshot:
The successful creation of a folder indicates that ASR rules have been successfully bypassed.
Running the same Macro without bypassing the ASR rules results in the following alert:
By determining the current ASR policy configuration and monitoring for any changes to this configuration, Advanced Hunting queries with Custom detection rules can act as a potential mitigation strategy until this critical vulnerability is remediated.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ASR Rules
DeviceRegistryEvents
| where RegistryKey has “HKEY_LOCAL_MACHINE”
and RegistryKey has “SOFTWARE”
and RegistryKey has “Microsoft”
and RegistryKey has “Windows Defender”
and RegistryKey has “Policy Manager” or
RegistryKey contains RegistryValueName == “ASRRules” and RegistryValueData != PreviousRegistryValueData and RegistryValueData != “ [Enter your registry key value here] ”
Suggested configurations:
Frequency: Every hour
Impacted Entity: Device | Device ID
Actions: Run antivirus scan
Once configured, the Custom detection rule will run once every hour and generate an alert for all devices in which the ASR rule registry key has changed.
Any alerts should be investigated as running a Microsoft Defender Antivirus scan alone will not be a sufficient response.
It is important to note that the registry key in the Advanced Hunting query should be updated after any change is made to the ASR rules.