Mimikatz-Style Exploits to be Blocked by Microsoft

Microsoft is finally stepping up the game and blocking Mimikatz-style exploits that steal passwords from system memory. Attackers use this exploit to escalate privileges and laterally move throughout a network. In penetration testing, we use these exploits often.

Take a peek at our internal company Fireside Chat we do every Friday. Today’s discussion centered around Microsoft Defender Attack Surface Reduction, Local Administrator Password Solution (LAPS), and how to thwart the attacker’s attempt to escalate privileges and laterally move throughout your network.

Key Takeaways:

  • Utilize Microsoft LAPS (Local Administrator Password Service) to ensure your local administrator passwords are different across systems
  • If you use Microsoft Defender as your enterprise antivirus solution, enable Attack Surface Reduction rules including the one titled, “Block credential stealing from the Windows local security authority subsystem (lsass.exe)”
  • If you utilize a different host-based protection solution, ensure it protects against these attacks by performing a test against one of your systems. We can do this test for you. Contact Us to schedule a discussion with our team.

In our penetration tests, we often utilize the Pass-the-hash toolkit in conjunction with Mimikatz. The CrackMapExec tool automates the process of using both exploits together and allows an attacker to quickly survey the network to find privileged credentials. These exploits are successful too often. Microsoft is recognizing the need to block Mimikatz and is finally pushing out an automatic block rule. This is a great step forward, but far from a silver bullet solution.

The discussion in this video is based on the BleepingComputer article, Microsoft Defender will soon block Windows password theft.

Need to test your environment to ensure you are protected against Mimikatz-style attacks? Check out our Penetration Testing service page to learn more about our attack simulation and ethical hacking services. Then Contact Us to schedule a discussion with our team.