What if all of this was a ploy to get people to use advanced hunting / E5 #asr #asrrules #defender #signature #ASRmagedon #ASRmageddon

Version 1.1 of the Microsoft LNK recovery script with added support to restore from the Volume Shadow Copy Service released

#ASRmagedon #MDE #MDAV

https://github.com/microsoft/MDE-PowerBI-Templates/blob/master/ASR_scripts/AddShortcuts.ps1

#ASRmagedon recovery powershell script, v1.0. Manual run, not for automation, but could probably be modified for that easily enough. The code is probably shit. No error checking etc. https://pastebin.com/NCdVqaGW

#ASRmagedon recovery v1 powershell script. Manual run, not for automation, but could probably be modified for that easily enough. https://pastebin.com/NCdVqaGW

My blog post from July last year became more relevant since last Friday then I had hoped.

But now is a good time to think about using the gradual rollout process for Microsoft Defender updates.

#M365D #MDAV #MDE #ASRmagedon

https://cloudbrothers.info/en/gradual-rollout-process-microsoft-defender/

On the bright side of #ASRmagedon , it probably deletes malware's persistent startup items :troll:

Microsoft has released their own guidance and scripting to recover from #ASRmagedon

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/ba-p/3716011

Is it only W11? https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-22h2#2998msgdesc #ASRmagedon @GossiTheDog

Windows is the OS used by the majority of businesses. And yes, there are times when Microsoft really screws things up (#ASRmagedon). During such times seing smug Linux users crowing about their setup and using words like Micro$haft and windoze is not helpful. Take your Linux smugness elsewhere - the business people are talking

Great rule for finding out via advanced hunting what defender deleted

```
DeviceEvents

| where ActionType == "AsrOfficeMacroWin32ApiCallsBlocked" and Timestamp >= datetime("2023-01-13 00:00:00Z")

| order by Timestamp

| where FileName endswith ".lnk"
```

Thanks reddit

https://www.reddit.com/r/sysadmin/comments/10ar1vb/multiple_users_reporting_microsoft_apps_have/j464ta6/

#ASRmagedon #asr #defender #signature

You all know what #ASRmagedon won't delete? the paid shortcuts... like Candy Crush.

I've created a powershell script to try to fix the mess with the startmenu. It requires you to get the lnk files from some other pc but it should help in restoring from this
https://github.com/Georg311/RecreateStartMenu/
#defender #signature #ASRmagedon #ASR

I've created a powershell script to try to fix the mess with the startmenu. It requires you to get the lnk files from some other pc but it should help in restoring from this
https://github.com/Georg311/RecreateStartMenu/
#defender #signature #ASRmagedon #ASR

Thanks Microsoft (specifically Defender) for mangling the ASR rule "Block Win32 calls from Office macros" so that it deletes application shortcuts from user's desktops *and* Start menus! Yes Microsoft, Office apps are indeed available from office.com, but that doesn't help my users with a locally installed CRM does it? #ASRmagedon

#ASRmagedon #MicrosoftDefender #Microsoft

Happy Friday if your ASR rule ‘Block Win32 API from Office Macro’ is already in audit mode .
Press F to pay respects if not.
#ASRmagedon