Understading how ASR rules work for improving your detection capabilities

Resumen de la actividad

Reducing the attack surface of your network is one of the most challenging and complex activities to be achieved. However, there are so many mechanism that can be leveraged without so much effort. One of them is enabling Attack Surface Reduction rules provided by Microsoft. The goal of these rules is easy: constrain software-based risky behaviors like, for example, blocking Adobe Reader from creating child processes. Sounds like an easy win but.. have you ever think about the internals of those rules? During the workshop, attendees will be able to understand the basics of ASR Rules and how they can be deployed. Moreover, they will be able to understand where are ASR rules stored, how they work and how their "source code" could be extracted. Finally, based on a few examples, they will understand how to identify their blind spots to bypass them and to improve their detection mechanisms.

Requisitos para la actividad

There is no need to prepare an environment for the workshop. Everything will be shown step by step from scratch and could be replicated afterwards with the slides. As same steps may be time consuming, I prefer to do it that way. The main goal is to show the attendes how a research process work and the paths that can be taken to achieve it.

In case any of the attendees want to follow the workshop step by step, he/shell will only need to:

• Bring a computer with full admin access
• A Windows VM (10 or 11) with Adobe Acrobat and FoxIT installed plus Defender enabled. Does not matter if it is VMWare or VirtualBox.
• Internet access in case some repositories are needed (Mobile hotspot should be enough).

Plazas limitadas: 40 plazas