Mimikatz-Style Exploits to be Blocked by Microsoft

Microsoft is finally stepping up the game and blocking Mimikatz-style exploits that steal passwords from system memory. Attackers use this exploit to escalate privileges and laterally move throughout a network. In penetration testing, we use these exploits often.

Take a peek at our internal company Fireside Chat we do every Friday. Today’s discussion centered around Microsoft Defender Attack Surface Reduction, Local Administrator Password Solution (LAPS), and how to thwart the attacker’s attempt to escalate privileges and laterally move throughout your network.

Key Takeaways:

  • Utilize Microsoft LAPS (Local Administrator Password Service) to ensure your local administrator passwords are different across systems
  • If you use Microsoft Defender as your enterprise antivirus solution, enable Attack Surface Reduction rules including the one titled, “Block credential stealing from the Windows local security authority subsystem (lsass.exe)”
  • If you utilize a different host-based protection solution, ensure it protects against these attacks by performing a test against one of your systems. We can do this test for you. Contact Us to schedule a discussion with our team.

In our penetration tests, we often utilize the Pass-the-hash toolkit in conjunction with Mimikatz. The CrackMapExec tool automates the process of using both exploits together and allows an attacker to quickly survey the network to find privileged credentials. These exploits are successful too often. Microsoft is recognizing the need to block Mimikatz and is finally pushing out an automatic block rule. This is a great step forward, but far from a silver bullet solution.

The discussion in this video is based on the BleepingComputer article, Microsoft Defender will soon block Windows password theft.

Need to test your environment to ensure you are protected against Mimikatz-style attacks? Check out our Penetration Testing service page to learn more about our attack simulation and ethical hacking services. Then Contact Us to schedule a discussion with our team.

About the Author

Geoff Wilson is CEO and Founder of Go Security Pro and is an innovative cybersecurity thought leader with deep experience in defensive cybersecurity strategies. Having trained at the National Security Agency, Geoff brings 20 years of cybersecurity experience to your organization.

Geoff has a Master’s of Information Security from Carnegie Mellon University and a Bachelor’s of Computer Science from the University of Oklahoma. He taught a graduate-level Information Security course at the University of Oklahoma for four years. Geoff is a published author, has worked for the National Security Agency, was a federal cybersecurity auditor, and has consulted with the Executive Office of the President.

Geoff is a business leader having founded Go Security Pro in early 2019 with his wife and co-founder Susan Wilson. Geoff regularly speaks at conferences, presents to executive leadership and boards, and can get in the technical weeds with IT professionals.

Geoff treats every engagement as a knowledge transfer opportunity and every client with the utmost care. He is ready to assist you with your cybersecurity challenges.