This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 9%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFS%3C/text%3E%3C/svg%3E)
Hi
I have enabled a ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)". Now it's detecting poweshell.exe is stealing credentials on some devices.
Filename = poweshell.exe
First Initiating process name = poweshell.exe
First action type = image loaded.
Last action type = NtAllocateVirtualMemoryApiCall.
Can someone help me understand what is this about? and how can I determine if this is legit or false detection?.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Fatehbir Singh, Thanks for posting in Q&A. In Fact, the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" is designed to prevent malicious programs from stealing credentials from the local security authority subsystem. PowerShell is a legitimate tool that can be used for various purposes, including credential management. However, if PowerShell is being used to steal credentials, it will trigger the ASR rule.
To determine if this is a legitimate detection or a false positive, you can investigate the PowerShell commands being executed on the affected devices. You can use PowerShell logging to capture detailed information about PowerShell commands being executed, including the command line arguments and the process that initiated the PowerShell session. This information can help you determine if the PowerShell activity is legitimate or malicious.
You can also review the Windows Defender logs to see if any other security events have been triggered on the affected devices. This can help you determine if there is a broader security issue that needs to be addressed.
References:
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Is there way to check what "PowerShell commands have been executed" from defender portal. or I need to check event viewer on device?
@Fatehbir Singh, Thanks for the reply. For the defender portal, I am not familiar. So I am not sure. You can contact Defender support to confirm if it can check. On device side, you can check event log to see if any abnormal security event related.