To prevent hackers from stealing the windows credentials in the LSASS process, Microsoft has now enabled a security feature in Microsoft Defender.
The Attack Surface Reduction will prevent even the admin level hackers from accessing the LSASS process and dump credentials. This feature has been in the Defender for a long time but was inactive. And now it’s turned on as Microsoft prioritizes security.
Blocking Access to Windows LSASS
Compromising a target system, hackers try to move laterally through the network for victimizing more machines. And this happens by either stealing the credentials of those systems or exploiting any flaw in them. And if the hacker chooses the former one, it mostly happens through dumping credentials through NTLM hashes.
NTLM, in return, is a part of the Local Security Authority Server Service (LSASS) process, a critical working in Windows. Hackers trying to steal Windows credentials from the LSASS process will dump its memory, which contains NTLM hashes of Windows credentials.
These hashes can be brute-forced to reveal the clear-text passwords, letting hackers use them for accessing the other systems. As a result, Microsoft introduced Credential Guard earlier, isolating the LSASS process in a virtualized container to prevent other processes from accessing it.
But, this often interferes with the drivers or applications, causing conflicts and forcing enterprises not to use it. Thus, Microsoft now came up with a solution – enabling the Microsoft Defender Attack Surface Reduction (ASR) rule by default.
Fresh changes! What is happening at #Microsoft, did the beast wake up and bump security up the priority list for this month? ????
ASR rule will be in "configured" state by default to block credential stealing from LSASS! ????????https://t.co/bQs3RDFRR6 pic.twitter.com/ubFtlsA3jY
— Kostas (@Kostastsale) February 9, 2022
As spotted by Kostas, a security researcher in Microsoft’s ASR rules documentation. And the company later wrote as;
“The default state for the Attack Surface Reduction (ASR) rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” will change from Not Configured to Configured and the default mode set to Block. All other ASR rules will remain in their default state: Not Configured.”
This feature has long been set to disable in Microsoft Defender, as it may raise false flags and cause heavy process checking in the Event Logs. But since Microsoft prioritized security in Windows OS, it now enabled this by default.
