ASRmageddon Summary

Friday the 13th in January 2023 for most of the Microsoft Defender customers (and consultants) was a hard day. I think everybody knows about the MO4971128 issue.

In this blog post, I would like to summarize the different solutions and first of all the different scripts, which I’ve found in different platforms. Sorry to the bloggers, when I cannot tag everyone in this post and/or afterwards on Twitter.

This post will be updated as soon I will find something new and usable informations around this issue.

Issue

Root couse was a Security definition update (v1.381.2140.0)

Temporary set following ASR rule into AUDIT, to prevent further damage. Office 365 Win32 API Macro - id: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b by Intune or Powershell.

If PS remember to run as system: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode

Invoke sync to all devices in Intune with the Intune PowerShell SDK –> Script

PLEASE USE WITH OWN KNOWLEDGE AND EXPERTISE! TEST FIRST ALWAYS after you disable the ASR rule pick a solution that fits your needs.

2023/01/14 – Version 1.0 – Initial post

2023/01/15 – Version 1.1 – Added PR part

2023/01/15 – Version 1.2 – Added PSADT part

2023/01/16 – Version 1.3 – Added VSS restore part

2023/01/16 – Version 1.4 – Added ASR Medkit blog post

Advance Hunting

Find Affected Devices

let deviceevent = 
DeviceEvents | where ActionType == "AsrOfficeMacroWin32ApiCallsBlocked" and Timestamp >= datetime("2023-01-13 00:00:00Z") | order by Timestamp
| where FileName contains ".lnk"
| summarize count() by FileName, DeviceName;
DeviceInfo
| project LoggedOnUsers, DeviceName
| extend users = parse_json(LoggedOnUsers) 
| mv-expand users
| extend loggedusers = users.UserName
| project DeviceName, loggedusers
| lookup kind = leftouter deviceevent on DeviceName

Find Affected Shortcuts

DeviceEvents | where ActionType == "AsrOfficeMacroWin32ApiCallsBlocked" and Timestamp >= datetime("2023-01-13 00:00:00Z") | order by Timestamp
| where FileName contains ".lnk"
| summarize count() by FileName, DeviceName
marked with "T1204.002 Malicious File"

Solutions

Please be aware of 32/64 bits programs, when mapping and icons.

Script to recreate .lnks (but not all)

https://call4cloud.nl/wp-content/uploads/2023/01/repair.txt

https://github.com/j0eyv/scripts/blob/main/force-o365-desktop-icons.ps1

Another script to recreate .lnks (but not all)

http://powershellisfun.com/2023/01/13/recreate-start-menu-shortcuts-asrmageddon/

Working with JSON

https://github.com/jwinterberg/handy-scripts/tree/main/Recreate-Shortcuts

Restore links deleted from OneDrive locations by attack surface reduction rules

https://www.thextrabit.com/post/restore-links-deleted-from-onedrive-locations-by-attack-surface-reduction-rules-mo497128

Repair.exe

$office = "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClicktoRun.exe" Start-Process $office "scenario=Repair platform=x64 culture=en-us RepairType=QuickRepair DisplayLevel=False" -Wait

Microsoft solution – incl. VSS support

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/ba-p/3716011

–> Script

Proactive Remediation

https://github.com/Jcodedk/script/blob/main/signature%20update%20proactive

PSADT

ASRmageddon – May I have my shortcuts back, please?

–> Script

Volume Shadow Copy Service Restore

RECOVERING FROM THE DEFENDER ASR BUG MO497128

ASR Medkit

ASR Medkit

–> Script

All solutions works, but none of them will get random .lnks back. You need to solve that your self.

Confirmed by Microsoft

Security definition “v1.381.2164.0” released by MS is the fix! You can manually push out the update or continue on the 8 hours (interval update) Manually update: cd %ProgramFiles%\Windows Defender MpCmdRun.exe -removedefinitions -dynamicsignatures MpCmdRun.exe -SignatureUpdate

Leave a Reply

Your email address will not be published. Required fields are marked *