This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 91%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hello,
I am trying to see if the EDR Microsoft Defender for Endpoint or other solutions from Microsoft offer options to block the following hive dump SAM, LSA and optionaly DPAPI. I am aware that suspicious dumps are detected but is there a possibility to block it ?
Regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Pierre Thank you for reaching out to us, As I understand you are trying to block SAM, LSA dump through MDE, Please refer to this blog - https://jeffreyappel.nl/detect-and-block-credential-dumps-with-defender-for-endpoint-attack-surface-reduction/ detailed explanation has been provided here.
Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Hello @Givary-MSFT ,
Thank you for your answer ! Yes, I am trying to give advice on the dump specifically of SAM & LSA dump. LSASS is well blocked by default implementation of MDE.
From what I understand, you have Windows Defender Credential Guard as well as ASR that blocks LSASS dump. MDE that blocks typical tool and technics used to blocks tools such as Mimikatz and technics for LSASS dump. And MDI to detect potential ongoing exploitation path.
Specifically for SAM & LSA dump, the article states that :
"LSA secrets can be dumped directly from registry hives. Normal this behavior is already blocked by Defender for Endpoint." however from my experience as a local admin and with default MDE implemented you are able to dump both SAM & LSA an alert will be created but it is not blocked (even remotely with password or pth technics).
The article also states : "Restrict local administrative access", "Limit domain and highly privileged accounts" that are useful to limit this kind of dump.
And I guess MDE that could block specific tools to stop SAM & LSA dump (I am not sure how to implement this). Overall it is not clear to me how to block all attempts to dump SAM & LSA.