AV-Comparatives takes a deep dive into LSASS Security Features Against Credential Dumping for Enterprise Products

Upper body of a Person with suit and tie blurred in the background and with the index finger directed towards one, presses on a white drawn dot, which is cross-linked with other circles. Title and Logo are included.

AV-Comparatives tested LSASS Protection Features for Enterprise Security Products

Table shows a list of the 15 MITRE ATT&CK tactics and techniques related to LSASS used in the test of AV-Comparatives

AV-Comparatives tested LSASS Protection Features for Business Security Products - MITRE ATT&CK tactics and techniques

Logo AV-Comparatives

Logo AV-Comparatives

Windows Local Security Authority Subsystem Service (LSASS) is one of the cybercriminals’ targets when launching targeted attacks on an organisation’s network

Given the importance of preventing LSASS credential dumping, AV-Comparatives evaluated how well hardening measures in security products protect against attacks on LSASS.”
— Peter Stelzhammer, co-founder AV-Comparatives
INNSBRUCK, TYROL, AUSTRIA, October 23, 2022 /EINPresswire.com/ -- From an attacker's perspective, the LSASS process on a Windows machine is often key to getting useful credentials from domain users and using them to move laterally within the targeted network. Attackers can use several different methods, including custom-designed malware and red teams, to extract credentials from the LSASS process.

Protection against LSASS credential dumping
Depending on the installed security product and applicable policy, it could be easier or harder for an attacker to get hold of Windows user credentials by dumping the address memory of LSASS.

Some security products include specific hardening measures to protect the LSASS process and prevent credential dumping.

However, it may not always be possible to use these more restrictive policies in some organizations’ environments, as they might cause problems with some legacy apps or apps that are not well programmed. Hence, IT administrators should test a product’s hardening settings to see if they have any unwanted side effects.

Blue teams should still assume that determined attackers will find a way to dump the LSASS process, even if the installed security products use specific code to harden the LSASS process against attacks. That is to say; they may still be able to extract user credentials from the LSASS process. In addition to the specific LSASS-hardening measures, security products may prevent credential dumping by, e.g., the antivirus module; this may detect the malware or other files created by the malware or use behavioural detection to block the malicious actions. In some cases, the security product may not stop the attack. Still, it will at least produce an alert, thus warning the system administrator that the malicious actions should be investigated.

Some business security products have their LSASS hardening measures activated by default. Examples are Avast Ultimate Business Security, Bitdefender GravityZone Business Security Enterprise, and Kaspersky Endpoint Detection and Response Expert. Microsoft also provides two features specifically used to protect the LSASS process: PPL (Protected Process Light) and ASR (attack surface reduction) rules. PPL is enabled by default on Windows 11 but currently not on Windows 10; it is included in the Professional, Enterprise and Education variants of Windows 10/11. The ASR rules can be used in organisations’ networks in conjunction with Microsoft Defender and currently need to be proactively configured on either OS.

Test of credential-dumping protection in security products
Given the importance of preventing LSASS credential dumping, in May 2022, AV-Comparatives tried out some business security products to determine how well their hardening measures protected against attacks on LSASS.

Below AV-C lists some products (made by Avast, Bitdefender, Kaspersky and Microsoft) that showed effective protection against the 15 attacks used in our test, with their respective LSASS hardening measures enabled.

The table above includes results for the following products (with LSASS protection settings enabled): Avast Ultimate Business Security, Bitdefender GravityZone Business Security Enterprise, Kaspersky Endpoint Detection and Response Expert and Microsoft Defender for Endpoint.

Microsoft asked us to publish the results of an additional test of Microsoft Defender for Endpoint that we ran without their LSASS protection features (PPL and ASR) enabled. This was done to determine if the attacks listed above would be detected by other Microsoft security features. For each test case, we checked to see if the attack was correctly attributed to the MITRE ATT&CK tactics and techniques about LSASS in the case of detections or active alerts by the security product. When the security product prevented the attack, we checked to see which information about the threat was provided in the admin console. This test's methodology and other details can be found in this PDF. For additional information, please also read this blog entry from Microsoft.

Peter Stelzhammer
AV-Comparatives
+ +43720115542
media@av-comparatives.org
Visit us on social media:
Facebook
Twitter
LinkedIn

You just read:

AV-Comparatives takes a deep dive into LSASS Security Features Against Credential Dumping for Enterprise Products

Distribution channels: Education, Emergency Services, IT Industry, Insurance Industry, Science, Technology ...


EIN Presswire's priority is source transparency. We do not allow opaque clients, and our editors try to be careful about weeding out false and misleading content. As a user, if you see something we have missed, please do bring it to our attention. Your help is welcome. EIN Presswire, Everyone's Internet News Presswire™, tries to define some of the boundaries that are reasonable in today's world. Please see our Editorial Guidelines for more information.

Contact
Peter Stelzhammer
AV-Comparatives
+ +43720115542 media@av-comparatives.org
Company/Organization
AV-Comparatives
Grabenweg 68
Innsbruck, 6020
Austria
+43 512287788
Visit Website
Visit Newsroom
About

AV-Comparatives is an independent organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises. Using one of the largest sample collections worldwide, it creates a real-world environment for truly accurate testing. AV-Comparatives offers freely accessible results to individuals, news organizations and scientific institutions. Certification by AV-Comparatives provides an official seal of approval for software performance which is globally recognized. The story of AV-Comparatives began the way it does with so many computer users, namely with a virus infection. In 1993, Andreas Clementi was hit by a computer virus: the “November 17 virus – NOV_17.855”. This awakened his interest. Andreas was not satisfied with the sometimes very contradictory tests of antivirus programs in computer magazines, and so began the intensive investigation of malware and antivirus software, which continues to this day. In 1999, he founded AV-Comparatives as a student project at the University of Innsbruck. This was done purely out of technical interest, to see how good the products of different manufacturers actually are. The response was enormous, as the manufacturers of antivirus software became aware of the duo in Innsbruck and wanted to take part in the tests.

AV-Comparatives

More From This Author
AV-Comparatives Renews ISO 9001:2015 Certification for Independent Testing of Anti-Virus Software
AV-Comparatives erneuert ISO 9001:2015-Zertifizierung für den Scope “Independent Tests of Anti-Virus Software”
Updated: AV-Comparatives News App for Android and iOS
View All Stories From This Author