Update Microsoft Defender will soon block Windows password theft

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,108
Microsoft is enabling a Microsoft Defender 'Attack Surface Reduction' security rule by default to block hackers' attempts to steal Windows credentials from the LSASS process.

When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits.

One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows.

This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute-forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices.
To prevent threat actors from abusing LSASS memory dumps, Microsoft has introduced security features that prevent access to the LSASS process.

One of these security features is Credential Guard, which isolates the LSASS process in a virtualized container that prevents other processes from accessing it.

However, this feature can lead to conflicts with drivers or applications, causing some organizations not to enable it.

As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon be enabling a Microsoft Defender Attack Surface Reduction (ASR) rule by default.

The rule, ' Block credential stealing from the Windows local security authority subsystem,' prevents processes from opening the LSASS process and dumping its memory, even if it has administrative privileges.
BleepingComputer has reached out to Microsoft to learn more about when this rule will be enabled by default but has not heard back.
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,065
From the article:

1.
This is because the full Attack Surface Reduction feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. However, BleepingComputer's tests show that the LSASS ASR rule also works on Windows 10 and Windows 11 Pro clients.
This rule work also on Windows 10 Home. Here are some examples (from the ConfigureDefender):
Code:
Event[2]:
Time Created  : 07.02.2022 15:10:37
ProviderName : Microsoft-Windows-Windows Defender
Id           : 1121
Message      : Funkcja Microsoft Defender Exploit Guard zablokowała operację, na którą nie zezwala administrator IT.
                Aby uzyskać więcej informacji, skontaktuj się ze swoim administratorem IT.
                    Identyfikator: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
                        ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
                    Godzina wykrycia: 2022-02-07T14:10:37.500Z
                    Użytkownik: ZARZĄDZANIE NT\SYSTEM
                    Ścieżka: C:\Windows\System32\lsass.exe
                    Nazwa procesu: C:\Windows\System32\CompatTelRunner.exe
                    Docelowy wiersz polecenia
                    Nadrzędny wiersz polecenia: C:\WINDOWS\system32\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:XXXXXXXXX/fKs.1
                    Plik, którego to dotyczy:
                    Flagi dziedziczenia: 0x00000000
                    Wersja analizy zabezpieczeń: 1.357.252.0
                    Wersja aparatu: 1.1.18900.2
                    Wersja produktu: 4.18.2111.5


Event[3]:
Time Created  : 05.02.2022 12:09:11
ProviderName : Microsoft-Windows-Windows Defender
Id           : 1121
Message      : Funkcja Microsoft Defender Exploit Guard zablokowała operację, na którą nie zezwala administrator IT.
                Aby uzyskać więcej informacji, skontaktuj się ze swoim administratorem IT.
                    Identyfikator: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
                        ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
                    Godzina wykrycia: 2022-02-05T11:09:11.901Z
                    Użytkownik: ZARZĄDZANIE NT\SYSTEM
                    Ścieżka: C:\Windows\System32\lsass.exe
                    Nazwa procesu: C:\Program Files (x86)\Microsoft\Edge\Application\98.0.1108.43\Installer\setup.exe
                    Docelowy wiersz polecenia
                    Nadrzędny wiersz polecenia: "C:\Program Files (x86)\Microsoft\Edge\Application\98.0.1108.43\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
                    Plik, którego to dotyczy:
                    Flagi dziedziczenia: 0x00000000
                    Wersja analizy zabezpieczeń: 1.357.84.0
                    Wersja aparatu: 1.1.18900.2
                    Wersja produktu: 4.18.2111.5

2.

"There is no legitimate reason to support a process opening the LSASS process... only to support buggy / legacy / crappy products - most of the time - related to authentication :')."

True. But, as we can see this rule can block sometimes the Microsoft processes like CompatTelRunner and Edge installer from accessing LSASS. Anyway, everything seems to work well.