Microsoft Defender gears up against Windows credential theft

Microsoft Defender has just acquired a new tool to protect against Windows credential theft. To do this, the software will activate an ASR (Attack Surface Reduction) rule by default.

Credits: Microsoft

Launched in November 2021, Windows Defender has a new utility called Microsoft Defender. It notably includes the detection and remediation services of Microsoft 365 Defender and Azure Defender. With this added weight, Windows Defender now offers “the greatest resource coverage of any XDR solution in the industry.”

For memory, XDR solutions enable rapid response to cyberattacks through machine learning algorithms and observable analytics of user data in the cloud. And precisely, the Microsoft antivirus software will receive a new tool, to prevent this time Windows credential theft.

As the Redmond firm explains, one of the most common techniques for stealing Windows credentials is gain administrator privileges on a compromised devicethen dump the memory of the Local Security Authority Server Service (LSAS) process running in Windows.

Also read: Windows Defender – you will soon be able to control your PC security on Android and iOS

Microsoft Defender enables an ASR rule by default

To prevent attackers from abusing LSASS core dumps, Microsoft has introduced mechanisms blocking access to the LSASS process. The first of these is none other than Credancial Guard. Its job is to isolate the LSASS process in a virtualized container to prevent other processes from accessing it.

However, Credential Guard can conflict with drivers or applications, leading some companies to disable it. So to avoid Windows ID theft and possible conflicts between apps and Credential GuardMicrosoft will soon enable by default an attack surface reduction rule (ASR for Attack Surface Reduction) in Microsoft Defender.

Indeed, the “Block Credential stealing from the Windows local security authority subsystem” rule prevents processes from opening the LSASS process and clearing its memory, even if an attacker has administrative privileges. “The Attack Surface Reduction (ASR) “Block Credential stealing from the Windows local security authority subsystem” default state is changed from Not Configured to Configured and the default mode is set to Block. All other ASR rules will remain in their default state: Not Configured”, explains Microsoft in its ASR rules document.

Source: Bleeding Computer

Related Articles

Leave a Reply

Your email address will not be published.