Friday the 13th in January 2023 for most of the Microsoft Defender customers (and consultants) was a hard day. I think everybody knows about the MO4971128 issue.
In this blog post, I would like to summarize the different solutions and first of all the different scripts, which I’ve found in different platforms. Sorry to the bloggers, when I cannot tag everyone in this post and/or afterwards on Twitter.
This post will be updated as soon I will find something new and usable informations around this issue.
Issue
Root couse was a Security definition update (v1.381.2140.0)
Temporary set following ASR rule into AUDIT, to prevent further damage. Office 365 Win32 API Macro - id: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
by Intune or Powershell.
If PS remember to run as system: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode
Invoke sync to all devices in Intune with the Intune PowerShell SDK –> Script
PLEASE USE WITH OWN KNOWLEDGE AND EXPERTISE! TEST FIRST ALWAYS after you disable the ASR rule pick a solution that fits your needs.
2023/01/14 – Version 1.0 – Initial post
2023/01/15 – Version 1.1 – Added PR part
2023/01/15 – Version 1.2 – Added PSADT part
2023/01/16 – Version 1.3 – Added VSS restore part
2023/01/16 – Version 1.4 – Added ASR Medkit blog post
Advance Hunting
Find Affected Devices
let deviceevent =
DeviceEvents | where ActionType == "AsrOfficeMacroWin32ApiCallsBlocked" and Timestamp >= datetime("2023-01-13 00:00:00Z") | order by Timestamp
| where FileName contains ".lnk"
| summarize count() by FileName, DeviceName;
DeviceInfo
| project LoggedOnUsers, DeviceName
| extend users = parse_json(LoggedOnUsers)
| mv-expand users
| extend loggedusers = users.UserName
| project DeviceName, loggedusers
| lookup kind = leftouter deviceevent on DeviceName
Find Affected Shortcuts
DeviceEvents | where ActionType == "AsrOfficeMacroWin32ApiCallsBlocked" and Timestamp >= datetime("2023-01-13 00:00:00Z") | order by Timestamp
| where FileName contains ".lnk"
| summarize count() by FileName, DeviceName
marked with "T1204.002 Malicious File"
Solutions
Please be aware of 32/64 bits programs, when mapping and icons.
Script to recreate .lnks (but not all)
https://call4cloud.nl/wp-content/uploads/2023/01/repair.txt
https://github.com/j0eyv/scripts/blob/main/force-o365-desktop-icons.ps1
Another script to recreate .lnks (but not all)
http://powershellisfun.com/2023/01/13/recreate-start-menu-shortcuts-asrmageddon/
Working with JSON
https://github.com/jwinterberg/handy-scripts/tree/main/Recreate-Shortcuts
Restore links deleted from OneDrive locations by attack surface reduction rules
Repair.exe
$office = "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClicktoRun.exe" Start-Process $office "scenario=Repair platform=x64 culture=en-us RepairType=QuickRepair DisplayLevel=False" -Wait
Microsoft solution – incl. VSS support
–> Script
Proactive Remediation
https://github.com/Jcodedk/script/blob/main/signature%20update%20proactive
PSADT
ASRmageddon – May I have my shortcuts back, please?
–> Script
Volume Shadow Copy Service Restore
RECOVERING FROM THE DEFENDER ASR BUG MO497128
ASR Medkit
–> Script
All solutions works, but none of them will get random .lnks back. You need to solve that your self.
Confirmed by Microsoft
Security definition “v1.381.2164.0” released by MS is the fix! You can manually push out the update or continue on the 8 hours (interval update) Manually update: cd %ProgramFiles%\Windows Defender MpCmdRun.exe -removedefinitions -dynamicsignatures MpCmdRun.exe -SignatureUpdate