In this session we will discuss about Microsoft Defender ATP Attack Surface Reduction (ASR) basics. ASR rules target software behaviors that are often abused by attackers, such as:
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don’t usually initiate during normal day-to-day work
Key timestamps:
0:50 ASR Overview
1:52 ASR Rules
2:36 The Golden Rule
5:29 Demo
6:38 Security Recommendations
8:44 Advanced Hunting
Few advanced hunting scripts Links:
https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries
https://github.com/anthonws/WindowsDefenderATP-Hunting-Queries
More #MDATP resources
https://github.com/alexverboon/MDATP
Official Microsoft ASR documentations: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
Basic ASR Query:
1 2 | DeviceEvents | where ActionType startswith 'Asr' |
LSASS ASR Query
1 2 3 | DeviceEvents |where ActionType startswith 'AsrLsass' | project Timestamp,DeviceName,FileName,FolderPath,ProcessCreationTime,InitiatingProcessFileName,InitiatingProcessFolderPath,InitiatingProcessCommandLine,InitiatingProcessSHA1 |