Microsoft is finally stepping up the game and blocking Mimikatz-style exploits that steal passwords from system memory. Attackers use this exploit to escalate privileges and laterally move throughout a network. In penetration testing, we use these exploits often.
Take a peek at our internal company Fireside Chat we do every Friday. Today’s discussion centered around Microsoft Defender Attack Surface Reduction, Local Administrator Password Solution (LAPS), and how to thwart the attacker’s attempt to escalate privileges and laterally move throughout your network.
Key Takeaways:
- Utilize Microsoft LAPS (Local Administrator Password Service) to ensure your local administrator passwords are different across systems
- If you use Microsoft Defender as your enterprise antivirus solution, enable Attack Surface Reduction rules including the one titled, “Block credential stealing from the Windows local security authority subsystem (lsass.exe)”
- If you utilize a different host-based protection solution, ensure it protects against these attacks by performing a test against one of your systems. We can do this test for you. Contact Us to schedule a discussion with our team.
In our penetration tests, we often utilize the Pass-the-hash toolkit in conjunction with Mimikatz. The CrackMapExec tool automates the process of using both exploits together and allows an attacker to quickly survey the network to find privileged credentials. These exploits are successful too often. Microsoft is recognizing the need to block Mimikatz and is finally pushing out an automatic block rule. This is a great step forward, but far from a silver bullet solution.
The discussion in this video is based on the BleepingComputer article, Microsoft Defender will soon block Windows password theft.
Need to test your environment to ensure you are protected against Mimikatz-style attacks? Check out our Penetration Testing service page to learn more about our attack simulation and ethical hacking services. Then Contact Us to schedule a discussion with our team.

Geoff Wilson is an innovative cybersecurity thought leader with deep experience in defensive cybersecurity strategies. Having studied at Carnegie Mellon University and trained at the National Security Agency, Geoff brings 17 years of cybersecurity experience to your organization.
In his many cybersecurity roles, Geoff has been an IT Auditor, Penetration Tester, Risk Assessor, Forensic Analyst, SOC Engineer, Information Security Officer, Software Developer, Author, University Professor, and Consultant.
Geoff is a business leader having founded Go Security Pro in early 2019 with his co-founder Susan Wilson. Geoff regularly speaks at conferences, presents to executive leadership and boards, and can get in the technical weeds with IT professionals.
Geoff treats every engagement as a knowledge transfer opportunity and every client with the utmost care. He is ready to assist you with your cybersecurity challenges.