Attack surface reduction: the zero day killer
Whether you are a beginner or an experienced practitioner in the field of ASR, this video is sure to provide you with valuable knowledge and insights. So sit back, relax, and enjoy this video about Attack Surface Reduction rules
Links
ASR references: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide
Palantir’s blog: https://blog.palantir.com/microsoft-defender-attack-surface-reduction-recommendations-a5c7d41c3cf8
LSASS Twitter question: https://twitter.com/LouisMastelinck/status/1643652827493937152
Chapters
–Chapters–
0:00 intro
1:18 1. What are ASR rules?
1:25 1.1 Supported operating systems
1:45 1.2 Functionality of ASR
1:56 1.3 Real-life example of ASR protecting against zero-day (Follina)
3:32 2 You don’t need MDE to do ASR
3:56 2.1 MDE provides the logs build in
4:15 2.2 ASR logs when you don’t have MDE
4:47 3 Enabling ASR auditing
4:54 3.1 ASR auditing via GPO
5:29 3.2 ASR modes (disable, block, audit, warn)
5:38 3.3 WARN mode requirements
6:16 3.4 ASR auditing via Intune
6:58 3.5 ASR only per rule exclusions (new vs old)
7:47 4 (30 days later) Analyze your logs
7:58 4.1 ASR rules Report
8:20 4.2 ASR logs via Advanced Hunting
8:28 4.3 Writing ASR queries
9:14 5 ASR rules types (standard VS other)
9:57 6 Community question
10:31 6.1 Twitter question
10:58 6.2 Palantir’s blog about ASR recommendations
11:58 6.3 LSASS: to push or not to push
12:53 7 Careful with: block psexec & WMI with SCCM
13:23 8 Outro