The software giant, Microsoft, is taking some security measures related to password theft by utilizing the LSASS process. The company has announced that the Attack Surface Reduction security rule will be set to enabled by default, which is expected to prevent the popular method.
LSASS memory dumping was doing the trick
LSASS is not the primary tool for threat actors, but it is making things easier for them
Local Security Authority Server Service, LSASS, is one of the tools that hackers use to steal passwords from target devices. LSASS.exe process holds credential data and hackers can steal those credentials by using the memory dumping method, after gaining administrator privileges. It can be done remotely and the process is not currently blocked by Windows Defender. Then, they can spread to other devices over the target network.
With the changes of the default Windows Defender rules, the LSASS process will be isolated and no other processes will be able to access it, and its data in the memory. This action will take away a very easy and useful tool from the hackers’ hands. Isolating LSASS will not completely solve all of the security risks on computers, but it will surely make it harder for attackers. This security measure is named Attack Surface Reduction (ASR) and it will be enabled by default.
Providing extra security, but…
On the other hand, isolating the LSASS is likely to cause problems for the programs and drivers that rely on LSASS for authentication processes. Also, the solution works on only Windows Enterprise versions which run Windows Defender as the primary antivirus program. Installing another antivirus disables the isolation on LSASS.