fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft is Making it Harder to Steal Windows Passwords from Memory

Microsoft is Making it Harder to Steal Windows Passwords from Memory

Microsoft is enabling a Microsoft Defender ‘Attack Surface Reduction’ security rule by default to block hackers’ attempts to steal Windows credentials from the LSASS process.

When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits.

One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows.

This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute-forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices.

A demonstration of how threat actors can use the popular Mimikatz program to dump NTLM hashes from LSASS is shown below.

Dumping NTLM credentials from LSASS deump using mimikatz
Dumping NTLM credentials from LSASS deump using mimikatz
Source: BleepingComputer

While Microsoft Defender block programs like Mimikatz, a LSASS memory dump can still be transferred to a remote computer to dump credentials without fear of being blocked.

Microsoft Defender’s ASR to the rescue

To prevent threat actors from abusing LSASS memory dumps, Microsoft has introduced security features that prevent access to the LSASS process.

One of these security features is Credential Guard, which isolates the LSASS process in a virtualized container that prevents other processes from accessing it.

However, this feature can lead to conflicts with drivers or applications, causing some organizations not to enable it.

As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon be enabling a Microsoft Defender Attack Surface Reduction (ASR) rule by default.

Also Read: Considering Enterprise Risk Management Certification Singapore? Here Are 7 Best Outcomes

The rule, ‘ Block credential stealing from the Windows local security authority subsystem,’ prevents processes from opening the LSASS process and dumping its memory, even if it has administrative privileges.

ASR rule blocking Process Explorer from dumping the LSASS process
ASR rule blocking Process Explorer from dumping the LSASS process
Source: BleepingComputer

This new change was discovered this week by security researcher Kostas who spotted an update to Microsoft’s ASR rules documentation.

“The default state for the Attack Surface Reduction (ASR) rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” will change from Not Configured to Configured and the default mode set to Block. All other ASR rules will remain in their default state: Not Configured.,” Microsoft explained in the updated document on the ASR rule.

“Additional filtering logic has already been incorporated in the rule to reduce end user notifications. Customers can configure the rule to AuditWarn or Disabled modes, which will override the default mode. The functionality of this rule is the same, whether the rule is configured in the on-by-default mode, or if you enable Block mode manually. “

As Attack Surface Reduction rules tend to introduce false positives and a lot of noise in Event Logs, Microsoft had previously not enabled the security feature by default.

However, Microsoft has recently begun to choose security at the expense of convenience by removing common features used by Admins and Windows users that increase attack surfaces.

For example, Microsoft recently announced that they would prevent VBA macros in downloaded Office documents from being enabled within Office applications in April, killing off a popular distribution method for malware.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

This week, we also learned that Microsoft had begun the deprecation of the WMIC tool that threat actors commonly use to install malware and run commands.

Not a perfect solution but a great start

While enabling the ASR rule by default will significantly impact the stealing of Windows credentials, it is not a silver bullet by any means.

This is because the full Attack Surface Reduction feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. However, BleepingComputer’s tests show that the LSASS ASR rule also works on Windows 10 and Windows 11 Pro clients.

Unfortunately, once another antivirus solution is installed, ASR is immediately disabled on the device.

Furthermore, security researchers have discovered built-in Microsoft Defender exclusion paths allowing threat actors to run their tools from those filenames/directories to bypass the ASR rules and continue to dump the LSASS process.

Mimikatz developer Benjamin Delpy told BleepingComputer that Microsoft probably added these built-in exclusions for another rule, but as exclusions affect ALL rules, it bypasses the LSASS restriction.

“For example, if they want to exclude a directory from the rule, “Block executable files from running unless they meet a prevalence, age, or trusted list criterion,” it’s not possible for this rule only. Exclusion is for ALL of the ASR rules… including LSASS access”, Delpy explained to BleepingComputer in a conversation about the upcoming changes.

However, even with all of these issues, Delpy sees this change as a major step forward by Microsoft and believes it will significantly impact a threat actor’s ability to steal Windows credentials.

“It’s something we have asked for years (decades?). It’s a good step and I’m very happy to see that + Macro disabled by default when coming from the Internet. We now start to see measures really related to real world attacks,” continued Delpy.

“There is no legitimate reason to support a process opening the LSASS process… only to support buggy / legacy / crappy products – most of the time – related to authentication :’).”

BleepingComputer has reached out to Microsoft to learn more about when this rule will be enabled by default but has not heard back.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us