The Microsoft Attack Surface Analyzer in practice!

%3CLINGO-SUB%20id%3D%22lingo-sub-2513577%22%20slang%3D%22en-US%22%3EThe%20Microsoft%20Attack%20Surface%20Analyzer%20in%20practice!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2513577%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDear%20Microsoft%20Security%20Friends%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20article%20I%20will%20describe%20how%20I%20used%20the%20Microsoft%20Attack%20Surface%20Analyzer.%20I%20know%20this%20is%20absolutely%20nothing%20spectacular%2C%20but%20I%20would%20like%20to%20share%20my%20experience%20with%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20encountered%20the%20following%20situation%20at%20the%20customer%3A%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EA%20software%20provider%20had%20the%20order%20to%20install%20a%20new%20application%20on%20a%20server%2C%20so%20far%20everything%20was%20fine.%20%3CBR%20%2F%3EImmediately%20the%20additional%20information%20came%20that%20still%20some%20telemetry%20data%20are%20collected.%20And%20now%20I%20quickly%20became%20extremely%20alert.%20I%20asked%2C%20what%20kind%20of%20telemetry%20data%3F%20How%20is%20it%20collected%2C%20by%20means%20of%20an%20agent%3F%20No%20question%20was%20answered%20correctly%20and%20I%20knew%20immediately%20that%20the%20Attack%20Surface%20Analyzer%20would%20be%20used.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20now%20start%20with%20the%20setup%20of%20the%20Microsoft%20Attack%20Surface%20Analyzer.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_1.JPG%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293280i17937810DED7572E%2Fimage-size%2Fsmall%3Fv%3Dv2%26amp%3Bpx%3D200%22%20role%3D%22button%22%20title%3D%22ASA_1.JPG%22%20alt%3D%22ASA_1.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E1.%26nbsp%3BWe%20can%20find%20the%20tool%20on%20GitHub.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_2.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293281iC12B05B0B33A7D9C%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_2.JPG%22%20alt%3D%22ASA_2.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%26nbsp%3BNavigate%20down%20to%20%22Releases%22.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_3.JPG%22%20style%3D%22width%3A%20879px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293282iCC6A781AF451A4DE%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_3.JPG%22%20alt%3D%22ASA_3.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3.%20Klick%20on%20Tags.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_4.JPG%22%20style%3D%22width%3A%20905px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293283i121F791FE13BCCC7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_4.JPG%22%20alt%3D%22ASA_4.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E4.%20Move%20down%20to%20the%20latest%20(not%20beta)%20version.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_5.JPG%22%20style%3D%22width%3A%20846px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293284i27366D6F95AAF30A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_5.JPG%22%20alt%3D%22ASA_5.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E5.%20Download%20the%20(in%20my%20case%20the%20Windows%20Version)%20.zip%20file%20to%20the%20server%20where%20you%20want%20to%20run%20the%20scan.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_6.JPG%22%20style%3D%22width%3A%20917px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293285iC4CCF9EFDB0D9C77%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_6.JPG%22%20alt%3D%22ASA_6.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E6.%26nbsp%3BNow%20extract%20the%20zip%20file.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_7.JPG%22%20style%3D%22width%3A%20537px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293288i701FDB0B50E154A5%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_7.JPG%22%20alt%3D%22ASA_7.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E7.%26nbsp%3BStart%20a%20command%20prompt%20with%20elevated%20privileges%20and%20navigate%20to%20the%20folder%20with%20the%20extracted%20files.%26nbsp%3BEnter%20the%20following%3A%20asa.exe%20gui%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_8.JPG%22%20style%3D%22width%3A%20649px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293289iDD9796238E495306%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_8.JPG%22%20alt%3D%22ASA_8.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E8.%26nbsp%3BThe%20browser%20starts%20and%20you%20are%20on%20the%20home%20page.%20Click%20on%20%22Get%20Started%22.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_9.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293290i3930D8A4E8D9148B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_9.JPG%22%20alt%3D%22ASA_9.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E9.%26nbsp%3BNow%20we%20create%20the%20%22before%22%20scan%2C%20that%20is%20before%20the%20app%20is%20installed%20and%20whatever%20else%20is%20installed%20that%20we%20don't%20know.%20For%20%22Scan%20Type%22%20I%20have%20selected%20%22Static%20Scan%22.%20At%20%22Choose%20Collectors%22%20select%20the%20options%20that%20are%20important%20for%20you%20(in%20this%20example%20I%20have%20selected%20all%20of%20them)%20and%20click%20%22Collect%20Data%22.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_10.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293291i024039A03F36280E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_10.JPG%22%20alt%3D%22ASA_10.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E10.%26nbsp%3BAfter%20the%20app%20and%20other%20programs%20are%20installed%2C%20create%20a%20new%20scan%20exactly%20the%20same%20as%20in%20step%209.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E11.%26nbsp%3BNow%20we%20can%20compare%20the%20results.%20Click%20on%20%22Results%22%20at%20the%20top%20of%20the%20browser.%20For%20%22Base%20Run%20Id%22%20select%20the%20first%20scan%20and%20for%20%22Product%20Run%20Id%22%20select%20the%20second.%20On%20the%20left%20select%20a%20collector%20e.g.%20%22Files%22%20and%20we%20can%20see%20immediately%20what%20has%20changed%20on%20the%20system!%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_11.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293292i7A3E714A4A913D0B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_11.JPG%22%20alt%3D%22ASA_11.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E12.%20Klick%20on%20%22Registry%22.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_13.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293293i128FB91538EDB6E4%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_13.JPG%22%20alt%3D%22ASA_13.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E13.%20Klick%20on%20%22Services%22.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_14.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293294i9ABAE75E34BB5F64%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_14.JPG%22%20alt%3D%22ASA_14.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E14.%20Klick%20on%20%22Firewall%22.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ASA_15.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293296i285D48E91655BA4C%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASA_15.JPG%22%20alt%3D%22ASA_15.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20were%20just%20a%20few%20examples.%20Of%20course%2C%20I%20invite%20you%20to%20examine%20the%20other%20collectors%20as%20well.%20But%20we%20have%20seen%20how%20great%20this%20tool%20is%2C%20it%20shows%20us%20exactly%20what%20changes%20have%20been%20made%20to%20the%20system%20by%20installing%20the%20software!%20Bingo!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20absolutely%20aware%20that%20this%20is%20nothing%20spectacular.%20I%20just%20wanted%20to%20share%20a%20few%20impressions%20with%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20article%20was%20useful.%20Best%20regards%2C%20Tom%20Wechsler%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2513610%22%20slang%3D%22en-US%22%3ERe%3A%20The%20Microsoft%20Attack%20Surface%20Analyzer%20in%20practice!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2513610%22%20slang%3D%22en-US%22%3EThank%20you%20for%20sharing%2C%20I%20have%20used%20this%20tools%20for%20long%20time%20and%20it%20is%20very%20helpful%20%2C%20however%20the%20public%20feedback%20from%20the%20community%20is%20getting%20it%20from%20the%20GitHub%20is%20a%20bit%20confusing%2C%20they%20just%20want%20a%20easy%20way%20like%20the%20download%20center.%3CBR%20%2F%3EUsers%20also%20want%20it%20like%20click%20and%20run%20instead%20of%20using%20the%20command%20prompt.%3CBR%20%2F%3EWhile%20it%20is%20piece%20of%20cake%20for%20us%2C%20but%20this%20method%20is%20not%20user%20friendly.%3C%2FLINGO-BODY%3E
MVP

 

Dear Microsoft Security Friends,

 

In this article I will describe how I used the Microsoft Attack Surface Analyzer. I know this is absolutely nothing spectacular, but I would like to share my experience with you.

 

I have encountered the following situation at the customer:


A software provider had the order to install a new application on a server, so far everything was fine.
Immediately the additional information came that still some telemetry data are collected. And now I quickly became extremely alert. I asked, what kind of telemetry data? How is it collected, by means of an agent? No question was answered correctly and I knew immediately that the Attack Surface Analyzer would be used.

 

Let us now start with the setup of the Microsoft Attack Surface Analyzer.

 

ASA_1.JPG

1. We can find the tool on GitHub.

ASA_2.JPG

 

 

2. Navigate down to "Releases".

ASA_3.JPG

 

3. Klick on Tags.

ASA_4.JPG

 

4. Move down to the latest (not beta) version.

ASA_5.JPG

 

5. Download the (in my case the Windows Version) .zip file to the server where you want to run the scan.

ASA_6.JPG

 

6. Now extract the zip file.

ASA_7.JPG

 

7. Start a command prompt with elevated privileges and navigate to the folder with the extracted files. Enter the following: asa.exe gui

ASA_8.JPG

 

8. The browser starts and you are on the home page. Click on "Get Started".

ASA_9.JPG

 

9. Now we create the "before" scan, that is before the app is installed and whatever else is installed that we don't know. For "Scan Type" I have selected "Static Scan". At "Choose Collectors" select the options that are important for you (in this example I have selected all of them) and click "Collect Data". 

ASA_10.JPG

 

10. After the app and other programs are installed, create a new scan exactly the same as in step 9.

 

11. Now we can compare the results. Click on "Results" at the top of the browser. For "Base Run Id" select the first scan and for "Product Run Id" select the second. On the left select a collector e.g. "Files" and we can see immediately what has changed on the system!

ASA_11.JPG

 

12. Klick on "Registry".

ASA_13.JPG

 

13. Klick on "Services".

ASA_14.JPG

 

14. Klick on "Firewall".

ASA_15.JPG

 

These were just a few examples. Of course, I invite you to examine the other collectors as well. But we have seen how great this tool is, it shows us exactly what changes have been made to the system by installing the software! Bingo!

 

I am absolutely aware that this is nothing spectacular. I just wanted to share a few impressions with you.

 

I hope this article was useful. Best regards, Tom Wechsler

1 Reply
Thank you for sharing, I have used this tools for long time and it is very helpful , however the public feedback from the community is getting it from the GitHub is a bit confusing, they just want a easy way like the download center.
Users also want it like click and run instead of using the command prompt.
While it is piece of cake for us, but this method is not user friendly.
www.000webhost.com