Forum Discussion
Defender for Endpoint ASR Rules lsass.exe
Hello everybody,
I have follow issues. I have configure a ASR Rule on the Endpoint Manager but the problem is that I get in my company over 400 Block Detection in the Defender Portal in one week the Detected File is "Block credential stealing from the Windows local security authority subsystem (lsass.exe).
Since last Thursday I configure the Propertie "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" from Blocked to audited but the Rule blocked farther.
What is the Problem ?
Thanks in advice
Soufiane
4 Replies
- Did all the devices already apply the new policy?
Apart from that: lsass.exe creates a lot of noise and you do not necessarily block someone from doing his job, because you set the policy to blocked.
Tons of apps just enumerate lsass.exe but does not really require it.
Check out:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem
As long as nobody complains, I would continue with "Block".- SCOM is one that uses excessive permissions
- Yes all Devices got the policy from MEM but the ASR Rule blocket around 15 time per day.
And now the Rule is on Audited but blocked farther.
- For a quick check go to Microsoft 365 Defender > Reports > Attack surface reduction rules and under Block credential stealing from the Windows local security authority subsystem (Lsaas.exe) look for the Source app. For more detailed info will need to use the Advanced hunting query.
