Microsoft Defender gets better at preventing Windows password theft

Microsoft is beefing up Windows security by adding a very important rule to its antivirus. A new ASR rule is being introduced in Microsoft Defender.

Before we get into that, let’s talk about a method hackers can use to steal a user’s Windows password.

What is LSSS?

You may have noticed LSASS.exe in your Task Manager, it is related to a process called Local Authority Server Service. LSASS authenticates users who log on to a computer and is protected by Microsoft Defender Credential Guard. The problem is that Credential Guard is not compatible with all programs, for example custom smart card drivers. Therefore, it is not implemented in all environments.

When an attacker has breached a user’s computer, they can easily access the LSASS process through special tools like Mimikatz. The resulting file created by the tool is a memory dump that contains the passwords and usernames of users who have logged on to the system.

Passwords are displayed in plain text, allowing the attacker to gain full access to the operating system. And all of this can be done remotely, and Microsoft Defender won’t block access because LSASS is a legitimate process and its core dump is harmless. It can only detect programs that maliciously access the process, but cannot prevent the memory dump from being created or transmitted to steal the user’s credentials.

That’s pretty scary, isn’t it?

Microsoft Defender gets an attack surface reduction rule

The solution to this security problem is quite simple, protect LSASS from unauthorized access and all this mess can be avoided, right? That is precisely what the Redmond company is doing, by adding a new rule called Attack Surface Reduction (ASR). This rule will prevent programs from opening LSASS and in turn will also prevent them from creating the memory dump. It will block access to LSASS even if a program that has elevated rights, ie administrator privileges, tries to open the process.

It gets better, according to Microsoft documentation, this ASR rule will be enabled by default, while all other related rules will remain in their default “Not Configured” state.

Is ASR a good solution? Well, if you’re Microsoft Defender, this looks promising. However, it is not completely infallible, but it is. We must remember that malware also evolves and becomes complex year after year.

On the other hand, if you are using a third-party antivirus on your computer, the ASR rule is disabled. So that makes the LSASS vulnerable again. computer beep reports that some security researchers have already bypassed the ASR rule, which exploited Microsoft Defender’s exclusion paths. The exclusions apply to all ASR rules, and since this LSASS access is in the same category, it makes it possible for hackers to bypass the restrictions. The report mentions that users running on Windows Enterprise, Windows 10 Pro, and Windows 11 Pro will be protected by the new ASR rule.

That said, the new ASR rule has been welcomed by security researchers as it makes Windows a bit more secure, and that’s always welcome as it will result in fewer stolen passwords.

On a side note, Microsoft Defender Preview is a new dashboard that allows you to manage the security of your devices.

advertising