Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

ASR Exception for Block Credential Stealing rule

Copper Contributor


We want to apply the ASR rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' with exceptions for a trusted executable as the source app. However, it looks like the exceptions list only applies to the detected file, which is always lsass.exe.

Is there a way to effect an allow-list for this rule?


2 Replies
best response confirmed by HignettP (Copper Contributor)
This is and will always be lsass.exe, because this process is accessed from other apps to enumerate users.
Even though you see thousand of alerts there, you can put this on block most times. Not being able to enumerate users via lsass.exe does not stop 99 of 100 apps to work properly.
Test it out with on device in advance.
Thank you Aexlz.