Summary MDE Incident #ASRmageddon


here is more information about the big MDE incident of Friday 13.01.23. #ASRmageddon.

Management Summary:
On Friday, January 13, 2023, some customers running Microsoft Defender for Endpoint (MDE) experienced “false-positive” detections by ASR (Attack Surface Reduction) rules in the context of Office macro blocks after a signature update. These detections led to the deletion of files (ink, exe, etc.). The incorrect detection logic/signature was fixed in Security Intelligence version 1.381.2164.0 (and newer). With this updated version, the problem no longer occurs. For devices that were affected before the fix, the links and exe files must be explicitly restored. For customers who do not configure the ASR rule “Block Win32 API calls from Office macros” to “Block” mode, there is no false positive / “data loss”. 

There are now several good summaries on the general incident, the content sequence, the best detection methods for (still) affected endpoints, and scripts for link recovery.

[Recommended] Incident summary and FAQ from Microsoft:


Summary of the incident and recommended actions from the community:

Microsoft recovery script (ATTENTION this is the updated version from tonight). (Attention this script requires elevated admin rights):


[Recommended] Script to recover from the community (does NOT require elevated admin rights):


Hunting queries to detect still affected clients from Microsoft:

This query finds all device events for which AsrOfficeMacroWin32ApiCalls has been called in “block” mode and outputs them:


| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| extend JSON = parse_json(AdditionalFields)

| extend isAudit = tostring(JSON.IsAudit)| where isAudit == "false"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc

This query finds all device events where AsrOfficeMacroWin32ApiCalls has taken effect and outputs them:

DeviceEvents| where Timestamp > datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc

This query finds all device events where AsrOfficeMacroWin32ApiCalls has taken effect and prints them out


| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize deviceCount = dcount(DeviceId)

| extend IsMoreThanTenThousand = iif(deviceCount> 10000, True, False)

[Recommended] Hunting queries to detect still affected clients from the community:

This query finds all device events where AsrOfficeMacroWin32ApiCalls for .lnk files was grabbed in “block” mode and outputs them:


| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| where FileName contains ".lnk"

| extend JSON = parse_json(AdditionalFields)

| extend isAudit = tostring(JSON.IsAudit)

| where isAudit == "false"

| summarize by Timestamp, DeviceId, FileName, FolderPath, ActionType, AdditionalFields, isAudit

| sort by Timestamp asc


[Recommended] If applications are still blocked we recommend the following PowerShell Commands:

Updates the signature of Microsoft Defender AV/ASR via PowerShell:

cd %ProgramFiles%\Windows Defender 

MpCmdRun.exe -removedefinitions -dynamicsignatures 

MpCmdRun.exe -SignatureUpdate

The malicious signature starts from and including: 1.381.2140.0

The happy build (problem solved) starts from and including: 1.381.2164.0

[Recommended] The script fetches a selection of log files that execute rules for possible blocking by ASR and writes it to the variable “$mplog”.

“C:\ProgramData\Microsoft\Windows Defender\Support\” with a name starting with: “MPLog*”.

The second line prints lines in the log where there were blocked files.

$mplog = gci "C:\ProgramData\Microsoft\Windows Defender\Support\MPLog*" | Sort-Object -Property -CreationTime | Select-Object -First 1 | ForEach-Object{$_.FullName}

select-string -Path $mplog -Pattern Blocked.File.*OnOpen

Avoiding these incidents in the future:

To limit the extent of such “malicious” signatures in the future, we recommend rolling out signatures via rings. This ensures that a signature update is not immediately rolled out to the entire environment.
My MVP buddy Fabian Bader has written an excellent post that describes this process:

Link to the explanation of how Microsoft’s update channels work:


[Recommended] Link explaining how update channels work from the community:




Microsoft Purview: Deploy Labels like a Hero (feat. Microsoft Entra)

In what follows we proceed to talk about the co-working between Microsoft Entra (Azure AD; PIM) and Microsoft Purview. The aim is to present the possibilities of leveraging PAM to deploy labels, policies and similar to mail-enabled groups (M365 Group for this post).

Please do not see this as a limitation, rather, the possibility to use this tech in scenarios that require a mail-enabled group to be assigned for example, when assigning super users, creating test DLP policies, etc., or in this case deploying labels like a hero! TBH the possibilities are endless.

What is Microsoft Entra?

Recently reorganized enters Microsoft Entra (refer launch post under link), now defined as the product family encompassing all of MSs’ identity and access capabilities. This family now comprises the following three products (two of which are new):

  • Microsoft Azure Active Directory (Azure AD)
  • Cloud Infrastructure Entitlement Management (CIEM)
  • Decentralized Identity

The products in the Entra family will help provide secure access to everything for everyone, by providing identity and access management, cloud infrastructure entitlement management, and identity verification.

Microsoft Entra will verify all types of identities and secure, manage, and govern their access to any resource. The new Microsoft Entra product family will:

  • Protect access to any app or resource for any user.
  • Secure and verify every identity across hybrid and multi-cloud environments.
  • Discover and govern permissions in multi-cloud environments.
  • Simplify the user experience with real-time intelligent access decisions.

The specific part of Entra we will use for this solution is Azure AD, finer granularly PIM (Privileged Identity Management). To be clear, one of the pivotal parts of this solution utilizes a feature called “Privileged Access Groups” which is still in preview at the time of writing this post.

Continue reading

Microsoft Purview: Endpoint DLP Part 2

In this blog post, I will now go into more depth of the different features.

I present the individual protection options with examples and screenshots.

Use case:

A member of the supervisory board, Dr. Ludwig K., works with sensitive data of level C-4.

C-4 is the most sensitive data and any leakage can severely harm the enterprise.

The naming could be different in other companies or enterprises, but the bottom line is, everything boils down to “strictly confidential”.

Continue reading
Microsoft Endpoint DLP

Microsoft Purview: DKE from Zero to PoC

Double Key Encryption or DKE is a method of protecting data above anything else. As the name eludes it uses two keys together to protect the content. In the way that, one key is held by Microsoft (they protect it!) and the other is held purely by the customer (therefore by extension who are responsible to protect the key!). The mechanism of DKE piggy backs on the Azure Purview Label Set and when configured correctly allows a label to apply DKE protection to the data which it labels.

Continue reading

Spring Microsoft Ignite 2021 – The Future of Cybersecurity

I’m thrilled to be speaking again at Microsoft Ignite (spring edition). In fall 2020 I already had the chance to speak about Zero Trust in 2020 in front of a fully packed session. Table Talks in my oppinion are a very smooth and successful way to interact with experts on specific topics all around the globe. That’s why I’m really excited to be nominated to speak with Gokan Ozcifci, Dr. Mike Jankowski-Lorek, Paula Januszkiewicz and Tomas Vileikis about The Future of Cybersecurity.

Continue reading

Microsoft Ignite 2019 – Join my sessions!

2019 was already an incredible year. I was allowed to be on stages this year that I would never have dreamed of. Fantastic!

Definitely an absolute highlight has been RSA 2019, where I was invited to speak with my buddy Josh Harriman about “The Lost Boys: How Linux and Mac Intersect in a Windows-Centric Security World”. An awesome experience to be on stage with an expert like Josh!

Now two more top conferences are casting their shadow – Microsoft Ignite and ExpertsLive Europe.

Microsoft Ignite | November 4-8, 2019 | Orlando, Florida
Continue reading

Windows Defender ATP: the lost boys – Mac & Linux

At RSA 2019 I’ll be speaking about the Lost Boys: How Linux and Mac Intersect in a Windows-Centric Security World. We often see that Windows has such a large market share as the platform of choice, it can render Linux and Mac the Lost Boys in the world of security. This is also reinforced by the fact that the management of the two platforms for enterprise environments is simply not comparable to the administration of Windows client or server operating systems. But from the perspective of a security officer, this is as important as necessary. In November 2017, Microsoft announced that it will extend Windows Defender ATP partners across platforms. With that, the public availability of the WDATP integration of Ziften, Bitdefender and Lookout went live. With this comprehensive approach, Microsoft unites forces against cyber threats and adds lack of knowledge about behavior-based security solutions on these platforms through the industry expertise of its partners. This integration has now been extended to include two additional platforms, SentinelOne and Corrata. In this blog post I’ll give you a first introduction how the integration with Ziften can be done. Later we will have a look how the agent behaves on Mac and Linux machines with two different examples of real world attacks, that we have seen in the past couple of months.

Continue reading

Experts Live Europe – The new era of endpoint security!


I just arrived home from my trip to Prague Czech Republic. It was an amazing conference with a big firework at the end :). The conference counted over 400 attendees from 29 countries. In six different session tracks you could listen to 42 experts presenting a wide range of topics in the Microsoft universe. Besides the VIP party in Cloud 9 Sky Bar & Lounge my absolute highlight was the Intro Video below.

Continue reading

I’m speaking at Experts Live Europe in Prague


after Microsoft Ignite and IT:SA I’m looking forward to Experts Live Europe. I’m part of the community for more than 4 years now. Back in the days the conference was called System Center Universe Europe. I attended twice and I really liked the warm and welcoming atmosphere and the good quality and selection of the speakers. Honestly I’m super proud to be back as a speaker. Last year I had three sessions – check out the according blog post if you are interested.

Continue reading

© 2022 IT-Pirate