FalconFriday — Detecting ASR Bypasses — 0xFF17

Post-Image

FalconFriday — Detecting ASR Bypasses — 0xFF17

Today’s blog is about detection of a bypass for the ASR rule “Block Office applications from creating executable content”. FalconFriday content is now also available in the Azure Marketplace!

We’ve seen that the more mature organizations often deploy ASR (Attack Surface Reduction) to further enhance resilience against advanced attacks. ASR in “block” mode makes it significantly harder for attackers to abuse Office features for gaining code execution or persistence. Today, we want to highlight an ASR bypass which we found (and later figured out it was already documented).

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-detecting-asr-bypasses-0xff17-c84b1417019b

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday