This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attack Surface Reduction mitigation re: LSASS Memory credential dump attack

This article https://attack.mitre.org/techniques/T1003/001/ lists several mitigations against an LSASS memory credential dump attack, one of which is ASR (Attack Surface Reduction). The mitigation is described as Behavior Prevention on Endpoint and links to Windows Defender ASR rules https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide.

"Attack surface reduction rules target certain software behaviors, such as:

  • Launching executable files and scripts that attempt to download or run files
  • Running obfuscated or otherwise suspicious scripts
  • Performing behaviors that apps don't usually initiate during normal day-to-day work

Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe."

Does Sophos Intercept X Endpoint have equivalent controls?

Thank you,

Matt



This thread was automatically locked due to age.
  • Hi Matthew,

    Thanks for reaching out to us. 

    I was able to locate information on some of the techniques you mention in your post, in the following "Exploits Explained" document. This outlines which observed behaviors will generate which detection. 

    With that being said, the XDR Detections page under Threat Analysis Center will keep track of any activity that matches MITRE attack classifications to give you more insight as to what is going on in your environment. Some information on this can be found at the link below.
    - XDR Detections

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Sophos endpoint includes all of those types of mitigation and monitoring capabilities for these types of attacks.

    From the core protection features like Credential Theft Prevention that monitors access to the LSASS runtime memory and Application protection to prevent things like when word tries to download an executable to AMSI scanning that will evaluate scripts and memory load information and more. 

    In addition to long list of protection capabilities we also monitor for suspect behavior and will generate detections that will initiate an investigation and email the admin on the observed activity.   

    Below is an example of the type of notification you may see if you disabled all protection capabilities but still had the monitoring features enabled. In this case with protection off the attack I ran was observed and a notification was generated. With protections enabled the adversary attack would have been blocked and because we prevented the activity the risk score would be low. 

  • Thank you very much for the detailed and relevant response Karl. Thank you Kushal also.