Detecting credential theft through memory access modelling with Microsoft Defender ATP

Credit to Author: Eric Avena| Date: Thu, 09 May 2019 17:29:45 +0000

Stealing user credentials is a key step for attackers to move laterally across victim networks. In today’s attacks, we see a range of tools used to achieve credential theft, requiring protections that target the root behavior and not just individual known tools as is often done by traditional antimalware software.

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), Microsoft’s unified endpoint protection platform, uses multiple approaches to detect credential dumping. In this post, we’ll discuss one of them: a statistical approach that models memory access to the Local Security Authority Subsystem Service (lsass.exe) process.

The lsass.exe process manages many user credential secrets; a key behavior associated with credential theft, and therefore common across many tools used by attackers, is to read large amounts of data from this process’ memory space.

Microsoft Defender ATP instruments memory-related function calls such as VirtualAlloc and VirtualProtect to catch in-memory attack techniques like reflective DLL loading. The same signals can also be used to generically detect malicious credential dumping activities performed by a wide range of different individual tools.

A statistical approach to detecting credential theft

Reviewing the behavior of multiple known tools, we see that the number and size of memory reads from the lsass.exe process related to credential dumping are highly predictable. The diagram below shows a (slightly simplified) view of this.

Fig1-number-of-read-perations-vs-number-of-bytes-read

By contrast, legitimate reads from the lsass.exe process, such as routine handling of users signing in, fall outside this cluster.

Microsoft Defender ATP uses such a model to discriminate between expected and unexpected accesses to lsass.exe process memory, and raise an alert in the latter case:

Fig2-Sensitive-credential-memory-read

Microsoft Defender ATP’s process tree view of the alert identifies the tool performing the suspicious credential access activity, in this example, sqldumper.exe. This is a legitimate administrator tool found on many database servers, but attackers have been known to abuse it to dump credentials to avoid the risk of downloading custom tooling that may be flagged by antimalware solutions.

Fig3-Alert-process-tree

Similarly, Microsoft Defender ATP detects attacker abuse of otherwise legitimate administrator tooling, such as the Microsoft Sysinternals tool ProcDump or Task Manager, when these are repurposed to dump lsass.exe process memory. Attackers take this approach, sometimes referred to as living-off-the-land, to avoid tools that they know are commonly detected as malicious. In the memory-dumping scenario described here, they may even exfiltrate the memory dump and perform the credential extraction offline rather than on the victim machine.

Over time we have also seen Microsoft Defender ATP identify several distinct custom tools using this memory modelling technique. A couple of open-source examples are shown here.

Fig4-Sample-open-source-tools

Foiling cyberattacks by stopping credential theft

In this blog post we illustrated one of several ways in which Microsoft Defender ATP detects credential theft. Security operations (SecOps) teams can use the alerts in Microsoft Defender ATP to quickly identify and respond to attacks: stopping credential dumping techniques empowers SecOps to resolve cyberattacks before the latter stages, such as lateral movement, command-and-control, and exfiltration.

Microsoft Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect attacks. Enhanced instrumentation and detection capabilities in Microsoft Defender ATP can better expose covert, sophisticated attacker techniques like credential theft and other in-memory attacks. Microsoft Defender ATP demonstrated its strength in detecting credential dumping and other high-impact attacker techniques in MITRE’s evaluation of EDR solutions.

Microsoft Defender ATP contributes to and benefits from security signals shared across Microsoft’s security solutions through Microsoft Threat Protection, which provides seamless, integrated, and comprehensive security across multiple attack vectors. The enriched security data drives stronger protection and the orchestration of threat remediation across identities, endpoints, email and data, apps, and infrastructure.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

To learn more about Microsoft Threat Protection, read our monthly updates on the evolution of this comprehensive security solution.

 

 

Rob Mead and Tim Burrell
Microsoft Threat Intelligence Center

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

 

The post Detecting credential theft through memory access modelling with Microsoft Defender ATP appeared first on Microsoft Security.

https://blogs.technet.microsoft.com/mmpc/feed/