This article https://attack.mitre.org/techniques/T1003/001/ lists several mitigations against an LSASS memory credential dump attack, one of which is ASR (Attack Surface Reduction). The mitigation is described as Behavior Prevention on Endpoint and links to Windows Defender ASR rules https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide.
"Attack surface reduction rules target certain software behaviors, such as:
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don't usually initiate during normal day-to-day work
Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe."
Does Sophos Intercept X Endpoint have equivalent controls?
Thank you,
Matt
This thread was automatically locked due to age.