Cybersecurity: This is how Microsoft Defender ATP tackles password-stealing credential dumping attempts

Microsoft reckons Microsoft Defender is up to the task of detecting legit tools for credential dumping from lsass.exe memory.

Microsoft Build 2019: Azure, Microsoft Graph, IoT and IE mode highlights ZDNet's Mary Jo Foley handicaps Microsoft's vision to lead with its three core clouds: Azure, Microsoft 365 and gaming. Here's the plan and other goodies developers will get. Read more: https://zd.net/2Wtzlh5

Microsoft has detailed how its security tools stop hackers from finding and stealing password and log-in information, potentially stopping attacks faster.

Microsoft CEO Nadella: Windows 10 is an IoT play too

Windows 10 is a key part of Microsoft's plan to be more of an Internet of things player. The catch is that few people see Microsoft putting the pieces together.

Read More

It is using predictable memory reads that credential theft tools create from the Local Security Authority Subsystem Service (lsass.exe) process to thwart lateral movement in a victim's network.   

As Microsoft explains, lsass.exe manages large amounts of user credential secrets, making its memory space a key target for "credential dumping" — or stealing credentials from the operating system, which an attacker can use to then move laterally around a targeted network. 

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)    

There are a handful of tools that attackers can use to read data from lsass.exe memory space and then dump it to gain credentials. 

Microsoft says one of its approaches to detecting credential dumping attacks, which are frequently used by so-called advanced persistent threat (APT) groups, relies on statistical modeling of memory access to the lsass.exe process. This allows it to look for particular behaviors rather than merely detect a specific tool. 

For example, while some attacks have used the well-known credential dumping tool Mimikatz (it was part of the NotPetya malware's arsenal combined with the NSA's EternalBlue exploit), this tool is likely to set off alarms if it's downloaded on to a victim's network. 

So attackers have used legitimate admin tools for the same task on a target system, such as Sqldumper.exe, a utility that is included with Microsoft SQL Server. The approach is called "living off the land", and allows attackers to avoid tools commonly detected as malicious. 

Instead of using Mimikatz at the outset, the attacker may use a legit tool to dump memory, steal it, and then extract the credentials off the victim's machine, using whatever tools work best.

Hence, Microsoft's approach with its Microsoft Defender Advanced Threat Protection (APT) is to look at general behaviors of all tools used to access the lsass.exe process.  

"The lsass.exe process manages many user credential secrets; a key behavior associated with credential theft, and therefore common across many tools used by attackers, is to read large amounts of data from this process' memory space," explains Rob Mead and Tim Burrell of the Microsoft Threat Intelligence Center

After reviewing several tools used for credential dumping, Microsoft's analysis found that the "number and size of memory reads from the lsass.exe process related to credential dumping are highly predictable" and much larger than legitimate reads, such as normal handling of users signing in. 

When Microsoft detects abnormal reads, Microsoft Defender ATP raises an alert in the Windows Defender Security Center informing the admin of a "sensitive credential memory read".   

The warning explains that a process has been scanned or dumped from lsass.exe and that an attacker who accesses this process memory could extract authentication hashes or passwords. "A copy of this memory may be written to the file system and exfiltrated to extract these credentials offline". 

The warning also details a process tree diagram, which in Microsoft's example is traced back to Sqldumper.exe. Microsoft Defender also detects abuse of other legitimate admin tools from Microsoft, including ProcDump and Task Manager, if they've been used in this way. The whole purpose of these alerts is to give security operations teams the chance to stop credential dumping techniques early enough to tackle later stages of an attack.