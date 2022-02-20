Passwords are one of the most important elements of our personal data, since they are the ones that give us access to platforms such as social networks or online services.

That is why it is always necessary to be careful when we come across messages where our personal data is requested and that are accompanied by a link to access and carry out any action that requires the introduction of this data. Many times, this can be a strategy made by some cybercriminal to get hold of our data and scam us.

With this in mind, Microsoft has added a new security feature to its tool microsoft defender in order to deal with cyber attacks that are focused on obtaining Windows credentials through the LSASS (Local Security Authority Server Service) process.

One of the most used methods by hackers to penetrate the system and access Windows credentials is through obtaining Administrator privileges which they take advantage of to manipulate the LSASS process and make a memory dump of this

In this memory dump procedure are the NTLM hashes corresponding to the Windows credentials of those users who have logged on to the computer. These elements are forced to generate passwords in plain text or used to launch attacks pass-the-hash with which to log in on other devices.

On the other hand, there is a program named Mimikatz used by cybercriminals to dump the NTLM hashes of the LSASS process. However, the action of this tool can be neutralized by Microsoft Defender, even blocking it.

However, there is a method that can bypass this defense, by causing the LSASS memory dump to occur in a remote computer without running the risk of being blocked. Knowing this, Microsoft took on the task of making improvements to Microsoft Defender, so that it would prevent memory dumps from the LSASS process.

This is how Microsoft made the decision to implement by default in Microsoft Defender a attack surface reduction rule (ASR) so that this helps reduce Windows credential theft and thus avoid the conflict generated by Credential Guard.

In that sense, the attribute will be changed not configured from this rule to configured and will be fixed To block as the default mode, while all other ASR rules will keep their settings intact.