How to start working with Attack Surface Reduction rules like a boss
Рет қаралды 4,880
Күн бұрын
@simonkeen9776 2 жыл бұрын
Thanks to Kent for this presentation
@MSEndpointMgr 2 жыл бұрын
Thanks for your comment Simon! Glad you liked it
@aneeshnicola9981 Жыл бұрын
@MSEndpointMgr Do we need to enable cloud block level as high to receive the toast notifications on the enduser device level for asr warn mode .Is this any prerequisiste ? Looking for assistance pls since im not receiving the notifications which allow me to bypass despite configuring warn mode
@karthikeyanv3400 Жыл бұрын
Thank you both, excellent walkthrough.
@MSEndpointMgr Жыл бұрын
You are most welcome!
@Rahgozar633 Жыл бұрын
Hi, thank you for the informative video. I have a question that wasn't answered by Microsoft either. Sometimes, certain executable files that attempt to access LSASS are blocked on some devices, even though these files can run without issues on other devices. What could be the reason behind this if the file isn't malicious?
@MSEndpointMgr Жыл бұрын
Hi Milad That is a very good question, that I have asked myself. Programs with access to LSASS should be considered as threats. I am no security expert, but LSASS is there to help windows with credentials and not 3rd party apps. If the program gets access and dump the LSASS credentials an attacker would easily be able to move laterally across the network with tools like psexec og WMI. So blocking the access to LSASS would be my default until I see stuff break because of this.
@Rahgozar633 Жыл бұрын
@@MSEndpointMgr Hi, thank you for your feedback. The problem is that certain files or applications require access to LSASS, and it is not clear why these specific files are able to access LSASS on one device without raising suspicion from Microsoft. However, the same file or application may be blocked on another device, and it is unclear what has caused this. In such cases, it is uncertain whether the file should be excluded from this ASR rule or not.
@MSEndpointMgr Жыл бұрын
@@Rahgozar633 I see your point. I guess the only way to find out will be to ask the vendor of the software that tries to access LSASS if this really is needed
@aneeshnicola9981 Жыл бұрын
@MSEndpointMgr Do we need to enable cloud block level as high to receive the toast notifications on the enduser device level for asr warn mode .Is this any prerequisiste ? Looking for assistance pls since im not receiving the notifications which allow me to bypass despite configuring warn mode
@MSEndpointMgr Жыл бұрын
Good question. Yes you need cloud block level set to high otherwise you will be shown nothing. Also your rules might need to be in block mode, but some will also show a toast notification even in audit. You can see the full picture here: learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#per-asr-rule-alert-and-notification-details
@KA-NV Жыл бұрын
@@MSEndpointMgr could provide were to find the option to enable cloud block level? Thanks
@edemfromeden5432 2 жыл бұрын
It always amazes me how much MSFT is NOT aligned in regards to best practices. The speaker advice goes like this "don't play around with ring1, ring2 deploy to all". At the same time offical ASR docs state the opposite O_o.
@MSEndpointMgr 2 жыл бұрын
It all depends on the scenario. I know such a borring answer. But a ring rollout method is always a good thing to prevent large scale bummers.
Microsoft Security Community
Рет қаралды 9 М.
Tiin_vn - Viettel Media
Рет қаралды 28 МЛН
Fabiosa Best Lifehacks
Рет қаралды 16 МЛН
Jackson Felden - Cloud and Security
Рет қаралды 1,8 М.
Cloud Direct
Рет қаралды 104
Tiin_vn - Viettel Media
Рет қаралды 28 МЛН