Microsoft is enabling a new security feature in Microsoft Defender by default to “reduce the attack surface” to block hacker attempts to steal Windows credentials from the LSASS or Local Security Authority process ServerService. This is because one of the most common methods of stealing Windows credentials is to gain administrator privileges on a compromised device and then dump the memory of the process (LSASS) running on Windows.
As Bleeping Computer recalls, this memory dump contains the NTLM hashes of the Windows credentials of users logged into the computer, which can be forced to obtain plain text passwords or used in Pass-the-Hash attacks to log in to other devices.
TOP APPS WINDOWS 2020 FREE The 17 BEST PROGRAMS for your PC
The Mimikatz program
Threat actors can use the popular Mimikatz program to dump LSASS NTLM hashes. Microsoft Defender blocks programs like Mimikatz, an LSASS memory dump can still be transferred to a remote computer to dump credentials without fear of being blocked. You have to remember that last year Mimikatz appeared in a couple of attack processes, like the one in December with NICKEL.
The announced novelty seeks to prevent LSASS memory dumps from being abused by introducing security functions that prevent access to the process.
As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon enable a Microsoft Defender Attack Surface Reduction (ASR) rule by default.
“The default state of the Attack Surface Reduction Rule (ASR), Block Windows Local Security Authority Subsystem (lsass.exe) credential theft” will change from Not Configured to Configured and the default mode will be set to Block. All other ASR rules will remain in their default state: Not Configured,” Microsoft explains in the updated ASR rule document.
Because Attack Surface Reduction rules tend to introduce false positives and a lot of noise in the Event Logs, Microsoft had not previously enabled the security feature by default.
This week, we also learned that Microsoft has begun to remove the WMIC tool that threat actors often use to install malware and execute commands.
Use Microsoft Defender or install free antivirus in Windows 10: these are the arguments in favor of the alternatives
It is important to note that the full attack surface reduction feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. Security researchers have discovered built-in exclusion paths in Microsoft Defender that allow threat actors to run their tools from those filenames/directories to bypass ASR rules and continue to dump the LSASS process.