Emeric Nasi

Bypass Windows Exploit Guard ASR

Abstract

How to bypass all Microsoft latest "Attack Surface Reduction" rules with malicious Office documents and scripts.

The last years, I have been doing some research around Windows security. I liked exploring APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am naturally interested into new security features such as ASR. Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard. ASR is composed of a set of configurable rules such as: "Block Office applications from creating child process". While these rules seem effective against common Office and scripts malwares, there are ways to bypass all of them. We will go over each rule related to malicious Office or VB scripts behavior, analyze how It work behind the scene and find a way to bypass it. As example we will take common attack scenario and see how they can be achieved with all rules enforced:

  • Download execute DLL/EXE/script from Office/VBscript
  • Drop execute embedded DLL/EXE/script from Office/VBscript
  • Machine takeover with Meterpreter shell from Office/VBscript
  • Lateral movement/UAC bypass/AMSI bypass/etc.

BIO

I am an information security professional and cybersecurity researcher. My personal research focuses on advanced offensive/defensive techniques, part of which are published on blog.sevagas.com. I like to develop attack and defence tools such as macro_pack redteam tool (https://github.com/sevagas/macro_pack) and am interested by any problematic in the infosec field.