Microsoft has detailed how its security tools stop hackers from finding and stealing password and log-in information, potentially stopping attacks faster.
It is using predictable memory reads that credential theft tools create from the Local Security Authority Subsystem Service (lsass.exe) process to thwart lateral movement in a victim’s network.
As Microsoft explains, lsass.exe manages large amounts of user credential secrets, making its memory space a key target for “credential dumping” — or stealing credentials from the operating system, which an attacker can use to then move laterally around a targeted network.
There are a handful of tools that attackers can use to read data from lsass.exe memory space and then dump it to gain credentials.
Microsoft says one of its approaches to detecting credential dumping attacks, which are frequently used by so-called advanced persistent threat (APT) groups, relies on statistical modeling of memory access to the lsass.exe process. This allows it to look for particular behaviors rather than merely detect a specific tool.
For example, while some attacks have used the well-known credential dumping tool Mimikatz (it was part of the NotPetya malware’s arsenal combined with the NSA’s EternalBlue exploit), this tool is likely to set off alarms if it’s downloaded on to a victim’s network.
So attackers have used legitimate admin tools for the same task on a target system, such as Sqldumper.exe, a utility that is included with Microsoft SQL Server. The approach is called “living off the land”, and allows attackers to avoid tools commonly detected as malicious.
Instead of using Mimikatz at the outset, the attacker may use a legit tool to dump memory, steal it, and then extract the credentials off the victim’s machine, using whatever tools work best.
Hence, Microsoft’s approach with its Microsoft Defender Advanced Threat Protection (APT) is to look at general behaviors of all tools used to access the lsass.exe process.
“The lsass.exe process manages many user credential secrets; a key behavior associated with credential theft, and therefore common across many tools used by attackers, is to read large amounts of data from this process’ memory space,” explains Rob Mead and Tim Burrell of the Microsoft Threat Intelligence Center.
After reviewing several tools used for credential dumping, Microsoft’s analysis found that the “number and size of memory reads from the lsass.exe process related to credential dumping are highly predictable” and much larger than legitimate reads, such as normal handling of users signing in.
When Microsoft detects abnormal reads, Microsoft Defender ATP raises an alert in the Windows Defender Security Center informing the admin of a “sensitive credential memory read”.
The warning explains that a process has been scanned or dumped from lsass.exe and that an attacker who accesses this process memory could extract authentication hashes or passwords. “A copy of this memory may be written to the file system and exfiltrated to extract these credentials offline”.