Bypassing Windows Defender Exploit ASR Rules

Discussion in 'other security issues & news' started by itman, Jun 20, 2018.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I know the Windows Defender fans are actively deploying ASR rules. Of note is the one that prevents start up of child processes from MS Office apps:
    https://enigma0x3.net/author/enigma0x3/
     
    Last edited: Jun 20, 2018
  2. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Thanks, great read. That's such a good hack, I wonder whether the article is a freebee for the malcoders?
    EDIT: On second thought, it is not such a freebee, because it entails dropping a malicious file in the Program Files folder, which is a protected location. It's not so easy to do that.
     
    Last edited: Jun 21, 2018
  3. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    And as always here on Wilders, people only get half the story ......
    Isn't it strange that only drama finds its way in here, but the second part - the fact that things are fixed and that nobody needs to worry - that part is always missing ??
    https://mobile.twitter.com/neox_fx/status/1006578753064001537
    https://mobile.twitter.com/neox_fx/status/1006592932290281472

    This effectively killed the Attack Surface Reduction rule bypass mentioned in blogpost when being on definitions 1.269.1096.0 or newer. :thumb:

    And additionally :
    https://mobile.twitter.com/neox_fx/status/1006707917658058752
    ASR rule keeping you safe .jpg
    https://mobile.twitter.com/neox_fx/status/1006718585719275521

    Meaning that with definitions 1.269.1142.0 or newer, the ASR rule has been extended to also cover Outlook, and the AppVLP.exe abuse through Outlook are no longer possible. :thumb:
    (this was a second finding by Matt Nelson, that just wasn't mentioned in his blog post)

    Excellent research by Matt Nelson. :thumb:
    Excellent fix pushed out from Microsoft for both issues. :thumb:

    Absolutely no need for anybody to worry about anything.
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Yeah, Microsoft seems to be doing a lot of good things with ASR lately.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Of note is it took Microsoft 4 months to patch the issue:thumbd::
    Also per the Twitter feed, appears MS is just blacklisting the processes involved. So the question remains if other trusted processes can be likewise be abused?
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Admittedly, there will be holes in the ASR rule for blocking child processes, because, as mentioned, the various Office apps need to interact with one another.
    But the other ASR rules seem to guard those holes sufficiently well.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here's another WDEG ASR child process rule bypass: https://oddvar.moe/2018/03/15/windows-defender-attack-surface-reduction-rules-bypass/ . At least this one was promptly patched by Microsoft.
    o_O
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.