Memory-Based Attacks are on the Rise
Microsoft updates Windows Defender ATP to detect and auto remediate memory-based attacks.
Hackers are moving beyond delivering files with malicious payloads because traditional AV can block them. Security is a cat-and-mouse game where you need to constantly stay on top of the latest developments to make sure your systems are protected. To help secure its customers, Microsoft is updating Windows more frequently than in the past – although Redmond’s attempts at turning Windows into a service have been a bumpy ride – and updates to Windows Defender ATP provide the latest protections.
What is a Memory-Based Attack?
While memory-based attacks are not new, WannaCry and Petya both used memory-based techniques, they are on the rise because it’s easier to get past traditional antimalware software.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Crypto mining malware is also on the rise. So, you can’t use the excuse that you don’t have anything worth stealing. Even if you think your data and login credentials are worthless, we all have spare compute resources that can be tapped into for somebody else’s gain.
Ironically, memory-based attacks, or fileless attacks as they are sometimes known, usually find there way onto a device with the help of a file. For example, via a macro-enabled Word document. But vulnerabilities in Flash Player are also another entry point that attackers can use to send instructions to a user’s device. Once compromised, instructions are sent from a command-and-control (C2) server and run legitimately, avoiding the need to send a file containing a malware payload to the device that might be detected by AV.
Preventing Memory-Based Attacks
Make sure that Windows and all third-party software is patched and up-to-date. Adobe Flash Player, Acrobat Reader, and the Java Runtime are often exploited. Microsoft Edge blocks Flash on sites that aren’t on a list of trusted resources maintained by Microsoft. You can also use Group Policy to block Flash entirely in Edge.
Updating to the latest release of Office 365 Click-To-Run or Office 2019 can help protect against malicious macros. For more information on protecting against malware in Office documents, see Managing Macro Security in Office 2016 and Code Signing Microsoft Office Macros and Visual Basic for Applications on Petri.
Security Best Practices
Wherever possible, use standard user accounts. Granting administrative privileges increases the attack surface considerably. Make sure that the administrator account on each device has a unique password. You can use Microsoft’s free LAPS tool to manage administrator account passwords. For more information on LAPS, see Secure Local Administrator Accounts with the Local Administrator Password Solution (LAPS) Tool on Petri.
Limiting domain administrator access to Active Directory (AD) is also critical. Check out Managing Privileged Access to Active Directory and Set Up Active Directory to Support Tiered Administration and Privileged Access Workstations on Petri for details about how to secure AD. Microsoft also recommends changing the KRBTGT account password on a regular basis to stop attackers creating their own TGT Golden Tickets. The KRBTGT account is a service account for the Key Distribution Center (KDC) service. Microsoft supports resetting the KRBTGT account password when your domain functional level is 2008 or higher.
Before resetting the KRBTGT account password, check out the security implications on Microsoft’s website here. There’s a PowerShell script available here for resetting the KRBTGT account password once, forcing replication, and monitoring the change status. Microsoft recommends changing the KRBTGT account password once, waiting for it to replicate, and then changing it a second time if you are performing password maintenance. In a breach scenario, change the password twice in rapid succession to invalidate existing TGTs.
Running the LSASS process in protected mode can also help prevent memory-based attacks, although it requires testing because not all drivers and LSA plug-ins meet the criteria to load as protected processes. If you are interested in enabling LSA protected mode, you can find more detailed information on Microsoft’s website here.
Upgrade to Windows 10
Windows 10 is more resilient to memory-based attacks than Windows 7. For example, by default cleartext passwords aren’t stored in memory, and Windows Defender Credential Guard can protect domain credentials from attack.
Windows Defender Advanced Threat Protection (ATP)
Microsoft has recently updated Windows Defender ATP to provide new optics and automated remediation for memory-based attacks. The ATP automatic investigation service can detect regions of malicious memory and run any needed in-memory remediation actions. Microsoft claims that this is unique to Windows Defender ATP and that it moves the product beyond simply being able to provide alerts on the presence of memory-based attacks.
Windows Defender ATP can send memory regions to the cloud for analysis without needing to send the entire memory. There is new logic that is used to determine if a memory region is being used for attack and the ability to remediate it if required. To reduce the number false positives, ATP can identify similar processes to determine if they are legitimate. For example, when Word runs the process in memory never looks exactly the same.