As the threat landscape evolves, we continue to see a rise in evasive memory-based, or as they are also known, fileless attacks. This shift in attacker techniques requires security tools to gain new optics. It requires security analysts to enhance their investigation skills. It also means an increase in complexity and the time required from human responders to deal with more sophisticated attacks. One of Windows Defender ATP team’s mission has always been to increase the visibility of security team to threats in their organization and to equip them with the tools they need to investigate and remediate those. To that end, we have added sensors and response actions for memory level attacks almost two year back. But we wanted to do more to help – now we can.
Starting today, we are expanding the Windows Defender ATP automation service with the ability to automatically investigate and remediate memory-based / file-less attacks. This means that Windows Defender ATP automatic investigation service can now leverage automated memory forensics to incriminate malicious memory regions and perform required in-memory remediation actions. With this new unique capability, we are shifting from simply alerting and allowing security analysts to investigate evidence for memory-based attacks to fully automating investigation and resolution flow for memory-based attacks. This increases the range of threats addressable by automation and helping customers using Windows Defender ATP as their holistic endpoint defense solution to further reduce the load on their security teams.
In more details, we added the following memory forensics capabilities to help us better investigate and response to memory-based attack:
Interested to learn more about these kinds of attack techniques? Check out the various blogs published by our research team:
Now let’s examine our new capability by going through our do-it-yourself (DIY) scenario #4: Automated Investigation (fileless attack)
You can test the new memory-based attack investigation and remediation capabilities of Windows Defender ATP’s automated investigation service today using a new ‘Do-It-Yourself’ demo script – simply go to the tutorial section of your Windows Defender ATP portal and run the ‘Automated investigation (fileless attack)’ scenario.
Automatic investigation of memory-based attacks requires running the Windows 10 October 2018 update and ‘preview features’ enabled for your tenant.
First let’s review the flow of the attack we have simulated as part of our DIY scenario #4:
Now let’s review how Windows Defender ATP will pick up and handle this attack:
The alert page includes a process tree, which shows the PowersShell.exe process (that executed our malicious script), the launch of notepad.exe as a sub-process and the injection.
After the alert gets raised, Windows Defender ATP automatically starts an automated investigation that will leverage the detection (alert metadata) and perform a memory dump analysis on the suspicious process. The memory dump will then be analyzed in order to determine if unexpected and malicious code is running, and if so, the automated investigation will automatically remediates the threat (process, persistence, etc.).
In the screenshot below we can see the automated investigation in the ended state (remediated) and we can identify that both the process (the malicious code) and the persistence method were removed automatically by the system.
By adding these unique memory forensics capabilities Windows Defender ATP now fully automates the investigation and remediation flow of memory-based attacks, and saves security teams precious time of manual memory forensic effort.
This is only one of the new features we recently released. You can read here more about the preview features we released last month, and to stay updated you can follow our Tech Community and our Twitter account.
Windows Defender ATP Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.