Star 0


How to bypass all Microsoft latest "Attack Surface Reduction" rules with malicious Office documents and scripts.

The last years, I have been doing some research around Windows security. I liked exploring APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am naturally interested into new security features such as ASR. Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard. ASR is composed of a set of configurable rules such as: "Block Office applications from creating child process". While these rules seem effective against common Office and scripts malwares, there are ways to bypass all of them. We will go over each rule related to malicious Office or VB scripts behavior, analyze how It work behind the scene and find a way to bypass it. As example we will take common attack scenario and see how they can be achieved with all rules enforced:

Download execute DLL/EXE/script from Office/VBscript
Drop execute embedded DLL/EXE/script from Office/VBscript
Machine takeover with Meterpreter shell from Office/VBscript
Lateral movement/UAC bypass/AMSI bypass/etc.