Powershell.exe blocked by ASR rule

Fatehbir Singh 20 Reputation points
2023-11-28T21:23:19.9866667+00:00

Hi

I have enabled a ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)". Now it's detecting poweshell.exe is stealing credentials on some devices.

Filename = poweshell.exe

First Initiating process name = poweshell.exe

First action type = image loaded.

Last action type = NtAllocateVirtualMemoryApiCall.

Can someone help me understand what is this about? and how can I determine if this is legit or false detection?.

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
375 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 46,171 Reputation points Microsoft Vendor
    2023-11-29T01:34:14.5133333+00:00

    @Fatehbir Singh, Thanks for posting in Q&A. In Fact, the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" is designed to prevent malicious programs from stealing credentials from the local security authority subsystem. PowerShell is a legitimate tool that can be used for various purposes, including credential management. However, if PowerShell is being used to steal credentials, it will trigger the ASR rule.

    To determine if this is a legitimate detection or a false positive, you can investigate the PowerShell commands being executed on the affected devices. You can use PowerShell logging to capture detailed information about PowerShell commands being executed, including the command line arguments and the process that initiated the PowerShell session. This information can help you determine if the PowerShell activity is legitimate or malicious.

    You can also review the Windows Defender logs to see if any other security events have been triggered on the affected devices. This can help you determine if there is a broader security issue that needs to be addressed.


    References:


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful