Cloud IT Office 365

Microsoft Defender ATP Training Series Part 3: Attack Surface Reduction (ASR)

Written by Ambi

In this session we will discuss about Microsoft Defender ATP Attack Surface Reduction (ASR) basics. ASR rules target software behaviors that are often abused by attackers, such as:

  • Launching executable files and scripts that attempt to download or run files
  • Running obfuscated or otherwise suspicious scripts
  • Performing behaviors that apps don’t usually initiate during normal day-to-day work

Key timestamps:

0:50 ASR Overview
1:52 ASR Rules
2:36 The Golden Rule
5:29 Demo
6:38 Security Recommendations
8:44 Advanced Hunting

Few advanced hunting scripts Links:
https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries
https://github.com/anthonws/WindowsDefenderATP-Hunting-Queries
More #MDATP resources
https://github.com/alexverboon/MDATP

Official Microsoft ASR documentations: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction

Basic ASR Query:

LSASS ASR Query

About the author

Ambi