As the threat landscape evolves, we continue to see a rise in evasive memory-based, or as they are also known, fileless attacks. This shift in attacker techniques requires security tools to gain new optics. It requires security analysts to enhance their investigation skills. It also means an increase in complexity and the time required from human responders to deal with more sophisticated attacks. One of Windows Defender ATP team’s mission has always been to increase the visibility of security team to threats in their organization and to equip them with the tools they need to investigate and remediate those. To that end, we have added sensors and response actions for memory level attacks almost two year back. But we wanted to do more to help – now we can.
Starting today, we are expanding the Windows Defender ATP automation service with the ability to automatically investigate and remediate memory-based / file-less attacks. This means that Windows Defender ATP automatic investigation service can now leverage automated memory forensics to incriminate malicious memory regions and perform required in-memory remediation actions. With this new unique capability, we are shifting from simply alerting and allowing security analysts to investigate evidence for memory-based attacks to fully automating investigation and resolution flow for memory-based attacks. This increases the range of threats addressable by automation and helping customers using Windows Defender ATP as their holistic endpoint defense solution to further reduce the load on their security teams.
In more details, we added the following memory forensics capabilities to help us better investigate and response to memory-based attack:
- Remote memory acquisition – In order to leverage the cloud for memory incrimination we added the capability to selectively acquire memory regions from any protected endpoint
- Process memory similarity algorithms – To speed up the memory analysis process and avoid false positives (FPs) we added the capability to identify unsimilar processes (in simpler words: a word process should always look like a word process, but it will never be identical over multiple execution)
- Identify suspicious memory regions that requires analysis - To make sure the system focuses on the relevant memory regions and not acquiring the entire memory we added a new capability to identify relevant process memory regions
- Incrimination logics specific for acquired memory – Once the memory is acquired we now need to successfully incriminate it, we have developed a new memory incrimination logic to support it
- Remediation capability for memory-based attack – We have extended our remediation capabilities to support memory-based threats and persistence
Interested to learn more about these kinds of attack techniques? Check out the various blogs published by our research team:
- Detecting reflective DLL loading with Windows Defender ATP
- Uncovering cross-process injection with Windows Defender ATP
- Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing
Now let’s examine our new capability by going through our do-it-yourself (DIY) scenario #4: Automated Investigation (fileless attack)
|
You can test the new memory-based attack investigation and remediation capabilities of Windows Defender ATP’s automated investigation service today using a new ‘Do-It-Yourself’ demo script – simply go to the tutorial section of your Windows Defender ATP portal and run the ‘Automated investigation (fileless attack)’ scenario.
Automatic investigation of memory-based attacks requires running the Windows 10 October 2018 update and ‘preview features’ enabled for your tenant. |
|
First let’s review the flow of the attack we have simulated as part of our DIY scenario #4:
Attack flow:
- We copy & paste a PowerShell command line into a PowerShell interpreter, which downloads and executes an encoded PowerShell script
- The PowerShell script opens a notepad.exe process
- It then allocates a memory region for a shellcode
- Lastly, it injects the shellcode into the allocated memory region
Now let’s review how Windows Defender ATP will pick up and handle this attack:
- When Windows Defender ATP detects an abnormally code injection into another process, it raises an alert for “suspicious process injection observed”
- Right afterwards our automated investigation finds the process and incriminates the content
- And the automated remediation automatically remediate the malicious process and associated persistence methods
The alert page includes a process tree, which shows the PowersShell.exe process (that executed our malicious script), the launch of notepad.exe as a sub-process and the injection.Process injection alert - PowerShell injected into process notepad.exe
After the alert gets raised, Windows Defender ATP automatically starts an automated investigation that will leverage the detection (alert metadata) and perform a memory dump analysis on the suspicious process. The memory dump will then be analyzed in order to determine if unexpected and malicious code is running, and if so, the automated investigation will automatically remediates the threat (process, persistence, etc.).
Investigation page - An ongoing investigation that was initiated based on the alert.
In the screenshot below we can see the automated investigation in the ended state (remediated) and we can identify that both the process (the malicious code) and the persistence method were removed automatically by the system.
Summary view of the investigation and remediation.
By adding these unique memory forensics capabilities Windows Defender ATP now fully automates the investigation and remediation flow of memory-based attacks, and saves security teams precious time of manual memory forensic effort.
This is only one of the new features we recently released. You can read here more about the preview features we released last month, and to stay updated you can follow our Tech Community and our Twitter account.
Windows Defender ATP Team
Microsoft