Microsoft Defender's New Feature Can Prevent Windows Credentials Theft

Compromising a vast network needs credentials of all the systems based on it. And hackers do get them all through dumping the stored ones in NTLM of Windows, which is a part of LSASS.

So to prevent them from accessing the LSASS process, Microsoft this week enabled a must-needed feature – Attack Surface Reduction (ASR) – in Microsoft Defender. This will block access to even the admin level accounts to access LSASS, thus fewer chances of stealing credentials.

Microsoft Defender Attack Surface Reduction

Stealing Windows credentials is one of the main and direct vectors for most hackers. And this happens mostly through the leakage from NTLM hashes, which contain encrypted passwords. To obtain them, hackers target the Local Security Authority Server Service (LSASS) process, which runs in every Windows OS.

Hitting LSASS can let hackers dump the stored in NTLM hashes, which can be brute-forced to reveal the clear-text passwords! And with them, hackers can compromise more systems on the network, taking the whole infrastructure.

So to prevent that from happening, Microsoft earlier introduced Credential Guard, which significantly reduces the access to LSASS in the first place through isolating the process in a virtualized container. But, this happens at the cost of convenience, since Credential Guard interferes with drivers or apps, forcing enterprises to disable this.

Thus, Microsoft now showed up with a viable solution – enabling the Attack Surface Reduction (ASR) in Microsoft Defender by default. This change was spotted by a security researcher named Kostas in Microsoft’s ASR rules documentation, where the company wrote;

“The default state for the Attack Surface Reduction (ASR) rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” will change from Not Configured to Configured and the default mode set to Block. All other ASR rules will remain in their default state: Not Configured.”

Though this feature has long been present in the Microsoft Defender, it was left disabled since it often notifies with false flags and creates unnecessary noise in the Event Logs. But as Microsoft chose security over convenience, it’s now turned on.

Other Trending News:-  News


Please enter your comment!
Please enter your name here