Mastodawn

Kevin Beaumont Jan 13, 2023

Microsoft have made a big boo boo in #Defender again. If you have attack surface reduction enabled for macros, it is deleting all user shortcuts from Start Menu (including Office etc) #ASRmageddon https://www.reddit.com/r/sysadmin/comments/10ar1vb/comment/j45qy7c/?utm_source=share&utm_medium=ios_app&utm_name=iossmf&context=3

Multiple users reporting Microsoft apps have disappeared

I was able to get this to restore icons on a per-user basis $AllPrograms = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC\" #...

Show thread

Kevin Beaumont Jan 13, 2023

The fix to #ASRmageddon is disable the ASR rules across the org and then (lol) recreate all the user shortcuts on all the machines somehow.

Good luck and happy Friday the 13th

Show thread

Kevin Beaumont Jan 13, 2023

It looks like #ASRmageddon may be a big incident for lots of orgs in Europe speaking to people, as it has removed Start Menu, Task bar and Desktop shortcuts.

Show thread

Kevin Beaumont Jan 13, 2023

MS have acknowledged #ASRmageddon in the M365 admin portal.

Show thread

Kevin Beaumont Jan 13, 2023

If you want to find out if you have the ASR rule enabled and on which devices:

security.microsoft.com -> Vulnerability Management -> Recommendations -> Search (right hand side) for Win32 -> look for "Block Win32 API calls from Office macros"

It's not enabled by default, but Defender prompts to enable and Microsoft Security Baselines for 21H2 tell you to enable it.

It looks like they're rolling it back, a rule had been pushed which triggered the ASR rule in error on any app. #ASRmageddon

Show thread

Kevin Beaumont Jan 13, 2023

#ASRmageddon