In this session we will discuss about Microsoft Defender ATP Attack Surface Reduction (ASR) basics. ASR rules target software behaviors that are often abused by attackers, such as:
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don’t usually initiate during normal day-to-day work
Few advanced hunting scripts Links:
More #MDATP resources
Official Microsoft ASR documentations: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
Basic ASR Query:
| where ActionType startswith 'Asr'
LSASS ASR Query
|where ActionType startswith 'AsrLsass'
| project Timestamp,DeviceName,FileName,FolderPath,ProcessCreationTime,InitiatingProcessFileName,InitiatingProcessFolderPath,InitiatingProcessCommandLine,InitiatingProcessSHA1