Attack Surface Analyzer

Author by Mitchell Grande

Overview and Uses

Attack Surface Analyzer, shortened as ASA, is used to compare or track the state of a server as changes are made.  It is specifically geared towards DevOps or security engineers for seeing what changes 3rd party software software makes to the system, with the goal of analyzing it for potential security risks.  However, ASA can be used for other purposes such as:

  • General understanding of what changes are made by a piece of software
  • Comparing the server's state before and after an issue occurs
  • Tracking down log files or registry settings used or managed by a piece of software

No matter how you use it, be aware that ASA can have serious performance implications.  Avoid running it on production servers if possible, and instead, use a test or non-production server.  If that isn't an option, only run it on a production server during a maintenance window where decreased performance isn't an issue.

Run Modes

Attack Surface Analyzer can be used in two different modes - static scan and live monitoring.  In static scan mode, a snapshot of the current configuration of the server is taken, to be compared to a second scan run later.  In live monitoring mode, changes to the file system are tracked live while the software is running.

Static scan mode is used in a 3 step process.  First, you run a scan to get the base state of the system.  Next, you make whatever changes you want to analyze, such as recreating an issue or installing 3rd party software.  Finally, you run a second scan and compare the results to the first scan.

In live monitoring mode, a log of all file system changes is made while it's running.  To use this mode, you run ASA and start a live monitoring scan, install the software, then stop the scan.  Afterwards, you can see all file system changes made while the scan was running.

Walkthrough

Attack Surface Analyzer is fairly easy to use.  Let's take a look at the steps to use it to capture before and after state of a system.  In this example, we will be using ASA to determine what changes are made when Google Chrome is installed on a Windows Server 2019 server.

  1. First, download Attack Surface Analyzer from https://github.com/Microsoft/AttackSurfaceAnalyzer/releases/latest
    1. We'll be using the AsaGui-win10-version.zip file as this is the easiest one to get started with.
  2. Unzip the downloaded file
  3. Next, download the Google Chrome installer.  We do this before running the ASA scan so that the process of downloading and unzipping Google Chrome isn't logged in our results.
    1. For this example, I'm using the Google Chrome MSI installer available at https://cloud.google.com/chrome-enterprise/browser/download/
  4. If the Google Chrome installer is zipped, unzip it
  5. In the directory where you extracted ASA, right click asa.exe and choose Run as Administrator

    asa-1.png
  6. If prompted by UAC, press Yes to allow it to run
  7. Once ASA opens, switch to the Scan tab, and fill out the form
    1. Ensure Scan Type is set to Static Scan
    2. Enter a descriptive Run Id or leave it blank to use the current date/time
    3. For Choose Collectors, check the collectors that you want to track data for.  Note that the Files collector can take a long time to run
    4. Press Collect Data to start the scan

      asa-2.png
  8. Wait for the scan to complete
  9. When the scan is done, go ahead and install Chrome.  If you are using the Enterprise Installer linked above, use the GoogleChromeStandaloneEnterprise64.msi file in the Installers folder within the zip

    asa-3.png
  10. Wait for the installation to complete
    1. Note, don't open Chrome after installation as that will cause additional changes to be logged.
  11. If you closed Attack Surface Analyzer, open it again, ensuring you choose to Run as Administrator
  12. Fill in the scan page again
    1. Ensure Scan Type is set to Static Scan
    2. Enter a descriptive Run Id or leave it blank to use the current date/time
    3. For Choose Collectors, check the same collectors that were chosen the first time
    4. Press Collect Data to start the scan

      asa-4.png
  13. Wait for the scan to complete
  14. Switch to the Results tab
    1. Choose the before and after run for the Base and Product run ID, then press Run Analysis

      asa-5.png
    2. After the results are computed, use the radio buttons on the left to choose which category you want to view.  For example, here are some of the registry settings caused by installing Google Chrome

      asa-6.png
      As expected, a number of new registry entries are getting created during the installation

 

When using Attack Surface Analyzer, it's best to run the installation and second scan as quickly as possible.  The longer you wait, the more time there is for unrelated changes to be made in between the scans.  Since the scans can't track where the individual changes originated, this can make the results more difficult to review.  For example, if Windows Updates install in the background before the second scan is run, the changes caused by the updates would get captured and clutter up the information.

Conclusion

Overall, Attack Surface Analyzer is an easy-to-use tool for collecting specific types of data.  While it isn't specifically designed for troubleshooting issues, here are some scenarios where it might be useful:

  • Finding what changes software makes to aid in troubleshooting issues that it might cause
  • Finding if software or an OS patch is making any additional changes that could be causing an issue
  • Finding all changes that a script or other tool is making.  For example, determining what changes an OS build script is doing.
  • Comparing a server in its healthy state to its state while an issue is occurring

For more information on Attack Surface Analyzer, see the official GitHub project.

Author

Mitchell Grande

Systems Engineer

Tags in this Article