Recovering from Attack Surface Reduction rule shortcut deletions

Posted by

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence build 1.381.2140.0. These detections resulted in the deletion of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern. There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update build 1.381.2140.0.

 

For currently impacted customers: what do I need to do? 

Impacted customers will need both the updated security intelligence build, and to recover deleted files.

 

The updated security intelligence build

Customers should update to build 1.381.2164.0. Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build. Enterprise customers managing updates should download the latest update and deploy it across their environments.  The security intelligence build does not restore deleted files.

 

To recover deleted Windows shortcut lnks

Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted. These have been consolidated into the PowerShell script below to help enterprise administrators take recovery actions in their environment. 

 

The first version of the script is available here: MDE-PowerBI-Templates/AddShortcutsV1.ps1 at master · microsoft/MDE-PowerBI-Templates · GitHub

 

Microsoft will continue to enhance this script.

 

For customers that prefer manual steps rather than the script running an application repair on affected applications will recreate deleted links.  Users can run the Application Repair functionality for programs including Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.

To repair an application, follow these instructions:

    1. Windows 10:
      1. Select Start  > Settings  > Apps > Apps & features
      2. Select the app you want to fix.
      3. Select Modify link under the name of the app if it is available.
      4. A new page will launch and allow you to select repair.
    2. Windows 11:
      1. Type “Installed Apps” in the search bar.
      2. Click “Installed Apps”.
      3. Select the app you want to fix.
      4. Click on “…”
      5. Select Modify or Advanced Options if it is available.
      6. A new page will launch and allow you to select repair.

Verifying environment impact

Customers can verify the impact of this issue in their environment through the following advanced hunting queries (AHQs):

This AHQ can retrieve all devices with ASR rule "Block Win32 API calls from Office macro" enabled on “Block” mode:

https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA32S3U7CQBCFz7WJ79B4BQkaEW8xqaIJJqKJJF4abBepAiVs_Y0P77fTIhoq2Wxn9uyZmTOz7cnpVZkS7Dme01yFvHa1oy9FetMEbMmONIQ3w_MwRngLsBN2yqkAL6r7ho50yO5oH9vm29axmrU5YyqHuJy6Q32QM6CJnUOVDOtB9mB6Yq41ZpV6r7hPwHLdGa9DzZgMmc64mbK8TvnmsJ7hp2RZaXB6N81z0EiXuiXzAK_LXhC9JNbpXk_YoKVB5pSV_agNFS7wHTaF1fwnd8ZdrJcqtqxQkCFMcWm6H8m-UnCg_h9-_dQ2c3ZtRmNTFZSvO_XwZqyRVfu0-AcmXfeeLdDerz-iT4WAhT6nnAfGcxWWW-dB0439ARPD6160xLfPr7XR17qDnBrFFt0R1lP3G7MZrDnOAgAA&timeRangeId=SetInQuery

DeviceEvents

| where Timestamp > datetime(2023-01-14)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| extend JSON = parse_json(AdditionalFields)

| extend isAudit = tostring(JSON.IsAudit)

| where isAudit == "false"

| summarize by Timestamp, DeviceId, FileName, FolderPath, ActionType, AdditionalFields, isAudit

| sort by Timestamp asc

 

This AHQ can retrieve all devices with ASR rule "Block Win32 API calls from Office macro" enabled on “block” and “audit” mode:

https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA32QyQoCMRBE6yz4D4MnBQW3szBu4MHlIHjWmREHl4gZFcWP9yUueBgkJN1dXanqpK9EF6WKiAOyRAdlsiqqoIcCXbUBO7EDzeHtySyMJdkRrMOOqTLw7N0vq6k6u6UascHZUFuVXM0QZ3fP4DvXDU2HRr52LinRgpRgWu5MtWa95h3Tj8CMFp7XwjNEIVWPzo5l1eU0sLbwY1Q-M1idmXUP7wT_7l1X-Oe9sgra__mnEUoOG1LvqCeel7wxAxb79838v2w8nvfOFx6z0m_Pze10E69if-Y1KGZ_pgyIFpcnfmh_ztIBAAA&timeRangeId=SetInQuery

DeviceEvents

| where Timestamp > datetime(2023-01-14)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize by Timestamp, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.