Microsoft Defender to Block Credential Theft By Default on Windows PCs

Microsoft addresses Outlook search issues on Windows 10

Microsoft is getting ready to enable a new security feature in Microsoft Defender that should make it more difficult for threat actors to steal credentials from Windows PCs. The company says that the Attack Surface Reduction (ASR) security rule will help to prevent admin-level hackers from accessing the Local Security Authority Server Service (LSASS) process.

For those unfamiliar, the LSASS process is responsible for enforcing local security policies and it validates users for local and remote sign-ins. To retrieve Windows credentials, threat actors typically dump the memory of the LSASS process on compromised devices.

Microsoft previously released several security features (such as Credential Guard) to block access to the LSASS process. However, some organizations haven’t enabled this feature yet because it may cause conflicts with applications or device drivers.

Microsoft Defender to get an Attack Surface Reduction (ASR) rule

As noted by Bleeping Computer, Microsoft is planning to address this issue by turning on the Attack Surface Reduction rule by default in Microsoft Defender. Once enabled, the feature will prevent malicious processes with admin privileges from dumping the memory of the LSASS process. Security researcher Kostas noticed that Microsoft quietly updated the ASR rules documentation last week to reflect this change.

“The default state for the Attack Surface Reduction (ASR) rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” will change from Not Configured to Configured and the default mode set to Block. All other ASR rules will remain in their default state: Not Configured,” the company explained on a support page.

Microsoft noted that it has implemented an additional filtering logic in the ASR rule that should help to reduce end-user notifications. It’s also possible for users to override the default value by configuring the rule to one of these modes: Audit, Warn, or Disabled.

It is important to note that the new ASR feature can only protect Windows PCs with Microsoft Defender installed as the default antivirus. However, this setting is automatically disabled as soon as a third-party antivirus product is installed on the same device. Bleeping Computer reports that some researchers bypassed the ASR rules by exploiting the Microsoft Defender exclusion paths.

Nevertheless, cybersecurity experts believe that the new default behavior regarding the ASR feature is a welcome change that can help to prevent credential theft. “It’s something we have asked for years (decades?). It’s a good step and I’m very happy to see that + Macro disabled by default when coming from the Internet. We now start to see measures really related to real world attacks,” Mimikatz developer Benjamin Delpy said in a statement to Bleeping Computer.