Search
Close this search box.

BUI Cyber Research: Critical Microsoft Defender FlawBUI Cyber Research – Unveiling a Critical Vulnerability in Microsoft Defender XDR’s Attack Surface Reduction rules

Terms and Conditions for this security vulnerability disclosure blog:

  1. Disclosure Policy. We follow a responsible disclosure policy, notifying vendors of vulnerabilities at least 90 days before public disclosure, and working co-operatively to resolve issues.
  2. Disclaimer. The information provided is for educational purposes only. We are not responsible for any misuse of this information.
  3. Ethical Considerations. Readers are urged to act ethically and legally when investigating and disclosing vulnerabilities.
  4. Use of Information. Information from this blog may not be used for illegal purposes or reproduced without permission.
  5. Feedback. We welcome feedback and corrections to ensure the accuracy and relevance of our content. Please email us (info@bui.co) or use the digital form on our contact page to submit feedback.
  6. Legal Compliance. Readers must comply with all applicable laws when testing for and disclosing vulnerabilities.

Microsoft Defender XDR is a comprehensive cybersecurity solution designed by Microsoft to protect organisational networks and devices. At its core are the Attack Surface Reduction (ASR) rules, which are strategic security protocols aimed at minimising the vulnerabilities and pathways exploited by cyber threats. These rules act as a crucial line of defence, shielding endpoints from various attack vectors such as malicious documents, scripts, and other potentially harmful activities. However, despite their importance in fortifying cybersecurity defences, recent scrutiny has uncovered a critical vulnerability within these ASR rules. This vulnerability poses a significant risk as it allows adversaries to bypass established security measures without triggering alerts or raising suspicion, thereby compromising the effectiveness of Microsoft Defender XDR’s defence mechanisms.

Regrettably, a remedy for this issue is not yet available*. Consequently, recourse to Advanced Hunting queries armed with Custom detection rules becomes imperative to diligently monitor for any indicators of compromise, thereby mitigating potential risks.

* Table 1: BUI researchers logged two notices via the Microsoft Security Response Center. The details are included here in Table 1.

Critical Vulnerability explained

Attack Surface Reduction (ASR) rules are configured on devices by means of a registry key. The contents of this key include the GUID for the specific ASR rule as well as the state of the rule (Block, Audit).

The registry key is not protected and can be modified without triggering any alerts, essentially bypassing ASR rules, which could result in negation of the protection.

Registry Key:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ASR Rules

Critical Vulnerability demonstrated

By following the steps below, ASR rules can be bypassed. The rule Block all Office applications from creating child processes will be tested.

Bypassing ASR rules:

  1. Launch an elevated PowerShell session and run the following commands to confirm that ASR rules are configured:

       Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Ids

       Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Actions

  1. Navigate to the following registry hive:

       Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\

  1. Open the following registry key:

       ASR Rules

  1. Delete the contents of the registry key.
  2. Rerun the following commands in an elevated PowerShell to confirm that the ASR rule configuration has been removed:

       Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Ids

       Get-MpPreference | Select-Object -expandproperty AttackSurfaceReductionRules_Actions

Testing the bypass:

  1. Create a simple bat file to create a folder.

       Example: Mkdir “c:\tools\new folder”

  1. Launch Microsoft Word.
  2. Enable the Developer Tools tab on the Ribbon.
  3. Create a new Macro and edit the Macro in Visual Basic.
  4. Enter the following code:

       Sub [your Macro name] ()

       Dim str As String

       Str = “cmd.exe /C [location of bat file]

       shell str, vbMaximizedFocus

       End Sub

       Example shown here in screenshot:

  1. Run the Macro and verify that a folder has been created. See screenshot:

The successful creation of a folder indicates that ASR rules have been successfully bypassed.

Running the same Macro without bypassing the ASR rules results in the following alert:

Mitigation strategies

By determining the current ASR policy configuration and monitoring for any changes to this configuration, Advanced Hunting queries with Custom detection rules can act as a potential mitigation strategy until this critical vulnerability is remediated.

  1. Determine the current configuration by viewing the following registry key:

       Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ASR Rules

  1. Within Microsoft Defender XDR, run the following Advanced Hunting Query:

       DeviceRegistryEvents

       | where RegistryKey has “HKEY_LOCAL_MACHINE”

       and RegistryKey has “SOFTWARE”

       and RegistryKey has “Microsoft”

       and RegistryKey has “Windows Defender”

       and RegistryKey has “Policy Manager” or

       RegistryKey contains RegistryValueName == “ASRRules” and RegistryValueData != PreviousRegistryValueData and RegistryValueData != “ [Enter your registry key value here]

  1. From the Advanced Hunting query, create a Custom detection rule. 
  1. Configure the Alert details, Impacted Entities, Actions as required.

       Suggested configurations:

       Frequency: Every hour

       Impacted Entity: Device | Device ID

       Actions: Run antivirus scan

Once configured, the Custom detection rule will run once every hour and generate an alert for all devices in which the ASR rule registry key has changed.

Any alerts should be investigated as running a Microsoft Defender Antivirus scan alone will not be a sufficient response.

It is important to note that the registry key in the Advanced Hunting query should be updated after any change is made to the ASR rules.

BUI supports global security awareness campaign

BUI supports global security awareness campaign

BUI is proud to participate in Cyber Security Awareness Month as a Champion Organisation for the sixth consecutive year. Founded in 2004, Cyber Security Awareness Month (held each October) is the world’s foremost initiative aimed at promoting cyber security awareness and best practices. The campaign is a collaborative effort among businesses, government agencies, colleges and universities, associations, non-profit organisations, communities and individuals to educate others about online safety.

“Knowledge and vigilance are essential when it comes to cyber security,” says BUI Global CEO Ryan Roseveare. “You need to know what to look out for. You need to know what to do when you see a red flag. And you need to be alert whenever you’re online. Cyber Security Awareness Month plays a key role in educating the public about common cyber risks and encouraging everyone to become more vigilant. BUI is pleased to join the international community in this focused effort to improve cyber security awareness worldwide.”

From smartphones to web-enabled home devices, technology is deeply intertwined with our lives. And while the evolution of technology accelerates, cybercriminals are working just as hard to find ways to compromise technology and disrupt our personal and business activities.

Cyber Security Awareness Month aims to highlight some of the emerging challenges that exist in the world of cyber security today and provide straightforward, actionable guidance which anyone can follow to create a safer, more secure digital world for themselves and their loved ones.

Starting this year, the new theme of Cyber Security Awareness Month is Secure Our World. The main messaging revolves around four cyber security practices:

  1. Creating strong passwords and using a password manager. The strongest passwords are long and unique, with a mixture of character types (lowercase letters, uppercase letters, numbers, and symbols).
  2. Enabling multi-factor authentication whenever possible. Multi-factor authentication, or MFA, adds an extra layer of security to digital accounts by making secondary authentication mandatory.
  3. Recognising and reporting phishing. Public awareness is essential as cybercriminals continue to refine their tactics for phishing scams conducted through emails, text messages, chats, and phone calls.
  4. Keeping software updated. The latest updates and security patches are important to install to ensure that operating systems, internet browsers, and applications are safeguarded.
  5. Cyber Security Awareness Month continues to build momentum and impact with the goal of providing everyone with the information they need to stay safe online. BUI is proud to support this far-reaching online safety awareness and education initiative, which is co-managed by the Cyber Security and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance.

    For more information about the 2023 Cyber Security Awareness Month campaign, you can visit the CISA and Stay Safe Online websites. You can also follow BUI on LinkedIn, Facebook and X (formerly Twitter) for helpful tips and resources throughout October, and join the global conversation by including the hashtag #CyberSecurityAwarenessMonth in your own social media posts.

Improve your security posture with an award-winning technology partner.

Cybercriminals are targeting enterprises big and small to try to gain access to sensitive, confidential, or proprietary data and resources. How are you protecting your IT environment?

Stay ahead of threat actors by choosing a comprehensive managed extended detection and response service from BUI. Contact our team to explore Cyber MXDR today.