Attack surface reduction rules in Windows target software behaviors that are often abused by attackers. In this blog post & video, we want to demonstrate a way of bypassing one of these rules from within VBA.
Parent process selection can be done from VBA. There is an Attack Surface Reduction rule to block Office applications from creating child processes. By using VBA code to select another parent than the Office application, this specific ASR rule can be bypassed, as illustrated in the following video.
FYI: we have not reported this bypass to Microsoft’s MSRC, as ASR is not considered an operating system security boundary.
We are not releasing the spreadsheet as seen in the video, as it is capable of much more than parent process spoofing. If you want to test your defenses, there are several implementations available, like this one on GitHub.
About the authors
Didier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center senior handler and Microsoft MVP, and has developed numerous popular tools to assist with malware analysis. You can find Didier on Twitter and LinkedIn.