@Fatehbir Singh, Thanks for posting in Q&A. In Fact, the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" is designed to prevent malicious programs from stealing credentials from the local security authority subsystem. PowerShell is a legitimate tool that can be used for various purposes, including credential management. However, if PowerShell is being used to steal credentials, it will trigger the ASR rule.
To determine if this is a legitimate detection or a false positive, you can investigate the PowerShell commands being executed on the affected devices. You can use PowerShell logging to capture detailed information about PowerShell commands being executed, including the command line arguments and the process that initiated the PowerShell session. This information can help you determine if the PowerShell activity is legitimate or malicious.
You can also review the Windows Defender logs to see if any other security events have been triggered on the affected devices. This can help you determine if there is a broader security issue that needs to be addressed.
References:
- Attack surface reduction rules deployment overview
- Report and troubleshoot Microsoft Defender for Endpoint ASR Rules
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.