Microsoft Defender Antivirus • Release: 7 Benchmark Date: 05 Jan 2026

CAT II V-278648 WNDF-AV-000044

Microsoft Defender AV must block credential stealing from the Windows local security authority subsystem.

Documentable No
Rule ID SV-278648r1144032_rule
CCI References
CCI-001170

Discussion

This policy setting helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).

Check Procedure

Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Microsoft Defender Exploit Guard >> Attack Surface Reduction >> Configure Attack Surface Reduction rules is set to "Enabled".

Procedure: Use the Windows Registry Editor to navigate to the following key: 
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules

Criteria: If the value "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" is REG_SZ = 1, this is not a finding.

If the value is other than 1, this is a finding.

Fix Action

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Microsoft Defender Exploit Guard >> Attack Surface Reduction >> Configure Attack Surface Reduction rules to "Enabled".

Under the policy option "Set the state for each ASR rule:", then click "Show".

Enter GUID "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" in the "Value Name" column.

Enter "1" in the "Value" column.

Click "OK".

Click "Apply".