December 8, 2023

A protection rule in Microsoft’s defender will soon run by default, in a bid to prevent threat actors from stealing Windows credentials.

Cybersecurity researcher Kostas first spotted the change in an update to Microsoft’s Attack Surface Reduction (ASR) rules.

Threat actors usually steal credentials or use various exploits to move laterally through an already compromised network. One way to go about this business is to get admin access, then dump the memory of the Local Security Authority Server Service (LSASS) process, as it holds NTLM hashes of Windows credentials.

These can later be brute forced, but in order to keep LSASS memory dumps away from prying eyes, Microsoft prevents access to it, through the Credential Guard, which isolates the process in a virtualized container.

This  feature sometimes results in driver conflicts on the endpoints, which is why many organizations choose not to enable it as predicted by the researchers. Now, to work around this issue, Microsoft will enable an ASR rule, called Block credential stealing from the Windows local security authority subsystem by default. It prevents processes from opening the LSASS process, even with admin privileges.

While enabling the default ASR rule has a significant impact on Windows credential theft, it is by no means a silver bullet. This is because the full attack surface reduction feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. Once another antivirus solution is installed, ASR is immediately disabled on the device.

“The default state for the Attack Surface Reduction (ASR) rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” will change from Not Configured to Configured and the default mode set to Block. All other ASR rules will remain in their default state: Not Configured.,” the updated document reads.

Additional filtering logic has already been incorporated in the rule to reduce end user notifications. Customers can configure the rule to Audit, Warn or Disabled modes, which will override the default mode. The functionality of this rule is the same, whether the rule is configured in the on-by-default mode, or if you enable Block mode manually.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.