SOLVED

Windows Defender ATP - Memory Dump

%3CLINGO-SUB%20id%3D%22lingo-sub-80677%22%20slang%3D%22en-US%22%3EWindows%20Defender%20ATP%20-%20Memory%20Dump%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80677%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3Ewhen%20will%20we%20be%20able%20to%20do%20memory%20dumps%20for%20forensics%20with%20Defender%20ATP%3F%3C%2FP%3E%3CP%3EAlot%20of%20the%20attacks%20we%20see%20are%20fileless%20these%20days%2C%20would%20be%20a%20nice%20feature!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2FMats%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-213290%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20ATP%20-%20Memory%20Dump%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-213290%22%20slang%3D%22en-US%22%3E%3CP%3E%E2%80%A6%20and%20once%20the%20memory%20dump%20is%20acquired%20%2C%20it%20would%20be%20great%20if%20the%20dump%20could%20be%20analyzed%20directly%20in%20the%20cloud%20by%20(just%20going%20crazy%20here)%20the%20dump%20is%20loaded%20into%20a%20temporary%20container%20where%20for%20example%20the%26nbsp%3B%3CSPAN%3EVolatility%20%3C%2FSPAN%3Eframework%20is%20loaded%2C%20this%20so%20that%20I%20don't%20have%20to%20download%20the%20dump%20to%20my%20machine.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3EAlex%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80729%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20ATP%20-%20Memory%20Dump%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80729%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20I%20won't%20be%20at%20Inspire%20this%20year%20-%20skipping%20just%20one%20of%20all%20the%20conferences%20we%20have%20%3B)%3C%2Fimg%3E%20But%20we%20have%20great%20staff%20there%20supporting%20the%20Windows%20Security%20booth.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYour%20feedback%20is%20taken%20and%20I%20will%20add%20a%20%2B1%20to%20the%20list%20of%20%22customers%2Fpartners%20asking%20for%20memory%20dumps%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80716%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20ATP%20-%20Memory%20Dump%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80716%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Heike%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENice%20talking%20to%20you%20again!%20Will%20you%20come%20to%20Inspire%3F%20Maybe%20we%20can%20talk%20on%20the%20subject%20then%20aswell%3F%3C%2FP%3E%3CP%3EAnyhow%2C%20its%20one%20feature%20we%20see%20that%20our%20customers%20want.%20Even%20if%20they%20arent%20able%20to%20do%20the%20forensics%20of%20the%20dump%2C%20hopefully%20their%20IR-partner%20is%20able%20to!%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EAnd%20yes%2C%20its%20requested%20for%20Branch%20Offices%20aswell.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80695%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20ATP%20-%20Memory%20Dump%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80695%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Mats%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ewe%20are%20looking%20into%20providing%20this%20option.%20You%20know%20that%20with%20our%20latest%20update%20we%20enhanced%20our%20sensors%20with%20detection%20capabilities%20for%20in-memory%20and%20kernel%20based%20attacks%3F%20Regarding%20memory%20dump%20we%20received%20mixed%20feedback%20from%20customers%20(network%20bandwith%2C%20lack%20of%20expertise%20to%20analyse%20those%2C%20time%20consuming...)%20but%20I%20would%20love%20to%20hear%20your%20scenario%2C%20also%20do%20you%20have%26nbsp%3Bbranch%20offices%20and%20would%20you%20collect%20dumps%20from%20those%20machines%20too%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-913177%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20ATP%20-%20Memory%20Dump%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-913177%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F63582%22%20target%3D%22_blank%22%3E%40Heike%20Ritter%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20very%20recently%20went%20thru%20Third%20Party%20Forensic%20effort%20and%20Memory%20dump%20capability%20is%20highly%20required.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hi,

when will we be able to do memory dumps for forensics with Defender ATP?

Alot of the attacks we see are fileless these days, would be a nice feature!

 

/Mats 

 

5 Replies

Hi Mats,

 

we are looking into providing this option. You know that with our latest update we enhanced our sensors with detection capabilities for in-memory and kernel based attacks? Regarding memory dump we received mixed feedback from customers (network bandwith, lack of expertise to analyse those, time consuming...) but I would love to hear your scenario, also do you have branch offices and would you collect dumps from those machines too?

Hi Heike,

 

Nice talking to you again! Will you come to Inspire? Maybe we can talk on the subject then aswell?

Anyhow, its one feature we see that our customers want. Even if they arent able to do the forensics of the dump, hopefully their IR-partner is able to! ;)

And yes, its requested for Branch Offices aswell. :)

best response
Solution

No I won't be at Inspire this year - skipping just one of all the conferences we have ;) But we have great staff there supporting the Windows Security booth. 

Your feedback is taken and I will add a +1 to the list of "customers/partners asking for memory dumps"

… and once the memory dump is acquired , it would be great if the dump could be analyzed directly in the cloud by (just going crazy here) the dump is loaded into a temporary container where for example the Volatility framework is loaded, this so that I don't have to download the dump to my machine. 

 

Cheers

Alex

@Heike Ritter 

We very recently went thru Third Party Forensic effort and Memory dump capability is highly required.