Video: Attack Surface Reduction (ASR) Bypass using VBA

Introduction

Attack surface reduction rules in Windows target software behaviors that are often abused by attackers. In this blog post & video, we want to demonstrate a way of bypassing one of these rules from within VBA.

Bypass

Parent process selection can be done from VBA. There is an Attack Surface Reduction rule to block Office applications from creating child processes. By using VBA code to select another parent than the Office application, this specific ASR rule can be bypassed, as illustrated in the following video.

FYI: we have not reported this bypass to Microsoft’s MSRC, as ASR is not considered an operating system security boundary.

We are not releasing the spreadsheet as seen in the video, as it is capable of much more than parent process spoofing. If you want to test your defenses, there are several implementations available, like this one on GitHub.

About the authors
Didier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center senior handler and Microsoft MVP, and has developed numerous popular tools to assist with malware analysis. You can find Didier on Twitter andย LinkedIn.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: