Recovering from Attack Surface Reduction rule shortcut deletions
Published Jan 14 2023 12:12 AM 241K Views
Microsoft

Updated 1/23/2023 @ 1:10pm PST

 

On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files.

 

There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 and 1.381.2163.0. 

 

For currently impacted customers: what do I need to do? 

Impacted customers will need both the updated security intelligence build and follow the process to recover start menu and taskbar shortcuts.

 

The updated security intelligence build

Customers should update to build 1.381.2164.0 or later. Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build. Enterprise customers managing updates should download the latest update and deploy it across their environments.  The security intelligence build does not restore deleted shortcuts. Instructions on how to restore those are immediately below. If you turned “Block Win32 calls from Office macros” into audit mode per prior guidance you can now safely turn on block mode.

 

To recover deleted start menu and taskbar shortcuts

Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted.  

 

Version 5.0 provides improved error handling for AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in. MpRecoverTaskbar.exe now supports restoring each user’s Chrome and Edge pinned taskbar shortcuts found per profile. For more details click here.

 

1/ Download both AddShortcuts.ps1 and MpRecoverTaskBar.exe and select from the following options:

 

Option A/ If you are using System Center Config Manager or Group Policy Object Editor or third-party tools then deploy both files and run the command “powershell -ep bypass -file .\AddShortcuts.ps1 -MpTaskBarRecoverUtilDownload=false as Administrator.

 

Option B/ If you are using Intune or no management tool then deploy AddShortcuts.ps1 and run the command “powershell -ep bypass -file .\AddShortcuts.ps1” as Administrator.  This will automatically download MPTaskBarRecover.exe from the Microsoft download center onto the user’s machine and run the script. Detailed instructions on how to deploy the script using Microsoft Intune are here. 

 

2/ The changes will come into effect after users logout and login to their accounts.

 

3/ The MPRecoverTaskbar.exe can be run multiple times on end-user machines if necessary.  If end-users are missing taskbar icons after completing this process, then try running it a second time from %windir%\MPRecoverTaskbar.exe in the user context.

 

The script requires PowerShell 5.x and does not currently support PowerShell 7.x.

 

Version 5.0 includes all the improvements from Version 4.0: restores from Volume Shadow Copy Service by default, recovers .URL files in the user's profile's Favorites and Desktop directories, if those URL files exist in the Volume Shadow Copy Service, contains improvements for non-English language machines, improved error handling and additional checks that help recover more shortcuts and links, better error handling to perform all the actions including running the MpRecoverTaskbar.exe, while adding support for better error handling using AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in, and enabling MPRecoverTaskbar.exe to restore each user’s Chrome and Edge pinned taskbar shortcuts found per profile.

 

To add programs to the script: edit the $program variable and add a new line with the name of the application lnk and the executable. 

 

For customers that prefer manual steps rather than the script running an application repair on affected applications will recreate deleted links.  Users can run the Application Repair functionality for programs including Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.

To repair an application, follow these instructions:

    1. Windows 10:
      1. Select Start  > Settings  > Apps > Apps & features
      2. Select the app you want to fix.
      3. Select Modify link under the name of the app if it is available.
      4. A new page will launch and allow you to select repair.
    2. Windows 11:
      1. Type “Installed Apps” in the search bar.
      2. Click “Installed Apps”.
      3. Select the app you want to fix.
      4. Click on “…”
      5. Select Modify or Advanced Options if it is available.
      6. A new page will launch and allow you to select repair.

Verifying environment impact

Customers can verify the impact of this issue in their environment through the following advanced hunting queries (AHQs):

 

This AHQ can retrieve all block events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on “Block” mode, run this query.

DeviceEvents

| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| extend JSON = parse_json(AdditionalFields)

| extend isAudit = tostring(JSON.IsAudit)

| where isAudit == "false"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc

 

This AHQ can retrieve all events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on “block” and “audit” mode, run this query.

 

DeviceEvents

| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc

 

This AHQ can retrieve the device count with this ASR rule “Block Win32 API calls from Office macro” enabled and if the number is exceeding 10K, run this query.

 

DeviceEvents

| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize deviceCount = dcount(DeviceId)

| extend IsMoreThanTenThousand = iif(deviceCount> 10000, True, False)

 

Advanced Hunting Queries are not available in Defender for Endpoint P1 which is also included in E3 and A3 or in Defender for Business.  To identify affected machines run the script here on individual user machines.  

 

FAQ 

Additional questions are addressed in the FAQ document

152 Comments
Co-Authors
Version history
Last update:
‎Jan 23 2023 01:10 PM
Updated by: