cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Defender for Endpoint ASR Rules lsass.exe

Soufiane_Barhmouni
Copper Contributor

‎Mar 29 2022 12:03 AM

‎Mar 29 2022 12:03 AM

Defender for Endpoint ASR Rules lsass.exe

Hello everybody,

 

I have follow issues. I have configure a ASR Rule on the Endpoint Manager but the problem is that I get in my company over 400 Block Detection in the Defender Portal in one week the Detected File is "Block credential stealing from the Windows local security authority subsystem (lsass.exe).

Since last Thursday I configure the Propertie "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" from Blocked to audited but the Rule blocked farther.

 

What is the Problem ?

 

Thanks in advice

Soufiane 

4,898 Views
1 Like
4 Replies
Reply
4 Replies
gatis_p

‎Mar 29 2022 05:18 AM

‎Mar 29 2022 05:18 AM

Re: Defender for Endpoint ASR Rules lsass.exe

For a quick check go to Microsoft 365 Defender > Reports > Attack surface reduction rules and under Block credential stealing from the Windows local security authority subsystem (Lsaas.exe) look for the Source app. For more detailed info will need to use the Advanced hunting query.
0 Likes
Reply
aexlz

‎Mar 29 2022 07:46 AM

‎Mar 29 2022 07:46 AM

Re: Defender for Endpoint ASR Rules lsass.exe

Did all the devices already apply the new policy?
Apart from that: lsass.exe creates a lot of noise and you do not necessarily block someone from doing his job, because you set the policy to blocked.
Tons of apps just enumerate lsass.exe but does not really require it.
Check out:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-r...

As long as nobody complains, I would continue with "Block".
0 Likes
Reply
Soufiane_Barhmouni

‎Mar 29 2022 08:28 AM

‎Mar 29 2022 08:28 AM

Re: Defender for Endpoint ASR Rules lsass.exe

Yes all Devices got the policy from MEM but the ASR Rule blocket around 15 time per day.
And now the Rule is on Audited but blocked farther.
0 Likes
Reply
PeDe

‎Mar 30 2022 01:55 AM

‎Mar 30 2022 01:55 AM

Re: Defender for Endpoint ASR Rules lsass.exe

SCOM is one that uses excessive permissions
0 Likes
Reply