Microsoft makes it harder to steal Windows passwords from memory
Microsoft is enabling by default the Microsoft Defender 'Attack Surface Reduction' (ASR) security rule to block attackers from stealing Windows credentials from the LSASS process.
A common method to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows, that contains NTLM hashes of Windows credentials of users and administrators who had previously logged into the computer. Once acquired, these credentials can be brute-forced for obtaining the clear-text passwords or used in Pass-the-Hash attacks to login into other devices.
To mitigate the above attack scenario, Microsoft will enable the Microsoft Defender Attack Surface Reduction rule by default, avoiding the conflicts caused by other security features, as Credential Guard.
The BleepingComputer article
A common method to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows, that contains NTLM hashes of Windows credentials of users and administrators who had previously logged into the computer. Once acquired, these credentials can be brute-forced for obtaining the clear-text passwords or used in Pass-the-Hash attacks to login into other devices.
To mitigate the above attack scenario, Microsoft will enable the Microsoft Defender Attack Surface Reduction rule by default, avoiding the conflicts caused by other security features, as Credential Guard.
The BleepingComputer article