Terms and Conditions for this security vulnerability disclosure blog:
- Disclosure Policy. We follow a responsible disclosure policy, notifying vendors of vulnerabilities at least 90 days before public disclosure, and working co-operatively to resolve issues.
- Disclaimer. The information provided is for educational purposes only. We are not responsible for any misuse of this information.
- Ethical Considerations. Readers are urged to act ethically and legally when investigating and disclosing vulnerabilities.
- Use of Information. Information from this blog may not be used for illegal purposes or reproduced without permission.
- Feedback. We welcome feedback and corrections to ensure the accuracy and relevance of our content. Please email us (info@bui.co) or use the digital form on our contact page to submit feedback.
- Legal Compliance. Readers must comply with all applicable laws when testing for and disclosing vulnerabilities.
Microsoft Defender XDR is a comprehensive cybersecurity solution designed by Microsoft to protect organisational networks and devices. At its core are the Attack Surface Reduction (ASR) rules, which are strategic security protocols aimed at minimising the vulnerabilities and pathways exploited by cyber threats. These rules act as a crucial line of defence, shielding endpoints from various attack vectors such as malicious documents, scripts, and other potentially harmful activities. However, despite their importance in fortifying cybersecurity defences, recent scrutiny has uncovered a critical vulnerability within these ASR rules. This vulnerability poses a significant risk as it allows adversaries to bypass established security measures without triggering alerts or raising suspicion, thereby compromising the effectiveness of Microsoft Defender XDR’s defence mechanisms.
Regrettably, a remedy for this issue is not yet available*. Consequently, recourse to Advanced Hunting queries armed with Custom detection rules becomes imperative to diligently monitor for any indicators of compromise, thereby mitigating potential risks.
Critical Vulnerability explained
Attack Surface Reduction (ASR) rules are configured on devices by means of a registry key. The contents of this key include the GUID for the specific ASR rule as well as the state of the rule (Block, Audit).
The registry key is not protected and can be modified without triggering any alerts, essentially bypassing ASR rules, which could result in negation of the protection.
Registry Key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ASR Rules
Critical Vulnerability demonstrated
By following the steps below, ASR rules can be bypassed. The rule Block all Office applications from creating child processes will be tested.
Bypassing ASR rules:
- Launch an elevated PowerShell session and run the following commands to confirm that ASR rules are configured:
Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Actions
- Navigate to the following registry hive:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
- Open the following registry key:
ASR Rules
- Delete the contents of the registry key.
- Rerun the following commands in an elevated PowerShell to confirm that the ASR rule configuration has been removed:
Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Actions
Testing the bypass:
- Create a simple bat file to create a folder.
Example: Mkdir “c:\tools\new folder”
- Launch Microsoft Word.
- Enable the Developer Tools tab on the Ribbon.
- Create a new Macro and edit the Macro in Visual Basic.
- Enter the following code:
Sub [your Macro name] ()
Dim str As String
Str = “cmd.exe /C [location of bat file] ”
shell str, vbMaximizedFocus
End Sub
Example shown here in screenshot:
- Run the Macro and verify that a folder has been created. See screenshot:
The successful creation of a folder indicates that ASR rules have been successfully bypassed.
Running the same Macro without bypassing the ASR rules results in the following alert:
Mitigation strategies
By determining the current ASR policy configuration and monitoring for any changes to this configuration, Advanced Hunting queries with Custom detection rules can act as a potential mitigation strategy until this critical vulnerability is remediated.
- Determine the current configuration by viewing the following registry key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ASR Rules
- Within Microsoft Defender XDR, run the following Advanced Hunting Query:
DeviceRegistryEvents
| where RegistryKey has “HKEY_LOCAL_MACHINE”
and RegistryKey has “SOFTWARE”
and RegistryKey has “Microsoft”
and RegistryKey has “Windows Defender”
and RegistryKey has “Policy Manager” or
RegistryKey contains RegistryValueName == “ASRRules” and RegistryValueData != PreviousRegistryValueData and RegistryValueData != “ [Enter your registry key value here] ”
- From the Advanced Hunting query, create a Custom detection rule.
- Configure the Alert details, Impacted Entities, Actions as required.
Suggested configurations:
Frequency: Every hour
Impacted Entity: Device | Device ID
Actions: Run antivirus scan
Once configured, the Custom detection rule will run once every hour and generate an alert for all devices in which the ASR rule registry key has changed.
Any alerts should be investigated as running a Microsoft Defender Antivirus scan alone will not be a sufficient response.
It is important to note that the registry key in the Advanced Hunting query should be updated after any change is made to the ASR rules.
