The Attack Surface Reduction will prevent even the admin level hackers from accessing the LSASS process and dump credentials. This feature has been in the Defender for a long time but was inactive. And now it’s turned on as Microsoft prioritizes security.
Blocking Access to Windows LSASS
Compromising a target system, hackers try to move laterally through the network for victimizing more machines. And this happens by either stealing the credentials of those systems or exploiting any flaw in them. And if the hacker chooses the former one, it mostly happens through dumping credentials through NTLM hashes. NTLM, in return, is a part of the Local Security Authority Server Service (LSASS) process, a critical working in Windows. Hackers trying to steal Windows credentials from the LSASS process will dump its memory, which contains NTLM hashes of Windows credentials. These hashes can be brute-forced to reveal the clear-text passwords, letting hackers use them for accessing the other systems. As a result, Microsoft introduced Credential Guard earlier, isolating the LSASS process in a virtualized container to prevent other processes from accessing it. But, this often interferes with the drivers or applications, causing conflicts and forcing enterprises not to use it. Thus, Microsoft now came up with a solution – enabling the Microsoft Defender Attack Surface Reduction (ASR) rule by default.
ASR rule will be in “configured” state by default to block credential stealing from LSASS! 😲🥳https://t.co/bQs3RDFRR6 pic.twitter.com/ubFtlsA3jY — Kostas (@Kostastsale) February 9, 2022 As spotted by Kostas, a security researcher in Microsoft’s ASR rules documentation. And the company later wrote as; This feature has long been set to disable in Microsoft Defender, as it may raise false flags and cause heavy process checking in the Event Logs. But since Microsoft prioritized security in Windows OS, it now enabled this by default.
