Attack surface reduction: the zero day killer

,

Whether you are a beginner or an experienced practitioner in the field of ASR, this video is sure to provide you with valuable knowledge and insights. So sit back, relax, and enjoy this video about Attack Surface Reduction rules

Links

ASR references: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide

Palantir’s blog: https://blog.palantir.com/microsoft-defender-attack-surface-reduction-recommendations-a5c7d41c3cf8

LSASS Twitter question: https://twitter.com/LouisMastelinck/status/1643652827493937152

Chapters

–Chapters–
0:00 intro
1:18 1. What are ASR rules?
1:25 1.1 Supported operating systems
1:45 1.2 Functionality of ASR
1:56 1.3 Real-life example of ASR protecting against zero-day (Follina)
3:32 2 You don’t need MDE to do ASR
3:56 2.1 MDE provides the logs build in
4:15 2.2 ASR logs when you don’t have MDE
4:47 3 Enabling ASR auditing
4:54 3.1 ASR auditing via GPO
5:29 3.2 ASR modes (disable, block, audit, warn)
5:38 3.3 WARN mode requirements
6:16 3.4 ASR auditing via Intune
6:58 3.5 ASR only per rule exclusions (new vs old)
7:47 4 (30 days later) Analyze your logs
7:58 4.1 ASR rules Report
8:20 4.2 ASR logs via Advanced Hunting
8:28 4.3 Writing ASR queries
9:14 5 ASR rules types (standard VS other)
9:57 6 Community question
10:31 6.1 Twitter question
10:58 6.2 Palantir’s blog about ASR recommendations
11:58 6.3 LSASS: to push or not to push
12:53 7 Careful with: block psexec & WMI with SCCM
13:23 8 Outro

Leave a Reply

Your email address will not be published. Required fields are marked *