I know the Windows Defender fans are actively deploying ASR rules. Of note is the one that prevents start up of child processes from MS Office apps: https://enigma0x3.net/author/enigma0x3/
Thanks, great read. That's such a good hack, I wonder whether the article is a freebee for the malcoders? EDIT: On second thought, it is not such a freebee, because it entails dropping a malicious file in the Program Files folder, which is a protected location. It's not so easy to do that.
And as always here on Wilders, people only get half the story ...... Isn't it strange that only drama finds its way in here, but the second part - the fact that things are fixed and that nobody needs to worry - that part is always missing ?? https://mobile.twitter.com/neox_fx/status/1006578753064001537 https://mobile.twitter.com/neox_fx/status/1006592932290281472 This effectively killed the Attack Surface Reduction rule bypass mentioned in blogpost when being on definitions 1.269.1096.0 or newer. And additionally : https://mobile.twitter.com/neox_fx/status/1006707917658058752 https://mobile.twitter.com/neox_fx/status/1006718585719275521 Meaning that with definitions 1.269.1142.0 or newer, the ASR rule has been extended to also cover Outlook, and the AppVLP.exe abuse through Outlook are no longer possible. (this was a second finding by Matt Nelson, that just wasn't mentioned in his blog post) Excellent research by Matt Nelson. Excellent fix pushed out from Microsoft for both issues. Absolutely no need for anybody to worry about anything.
Of note is it took Microsoft 4 months to patch the issue: Also per the Twitter feed, appears MS is just blacklisting the processes involved. So the question remains if other trusted processes can be likewise be abused?
Admittedly, there will be holes in the ASR rule for blocking child processes, because, as mentioned, the various Office apps need to interact with one another. But the other ASR rules seem to guard those holes sufficiently well.
Here's another WDEG ASR child process rule bypass: https://oddvar.moe/2018/03/15/windows-defender-attack-surface-reduction-rules-bypass/ . At least this one was promptly patched by Microsoft.