This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attack Surface Reduction mitigation re: LSASS Memory credential dump attack

This article https://attack.mitre.org/techniques/T1003/001/ lists several mitigations against an LSASS memory credential dump attack, one of which is ASR (Attack Surface Reduction). The mitigation is described as Behavior Prevention on Endpoint and links to Windows Defender ASR rules https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide.

"Attack surface reduction rules target certain software behaviors, such as:

  • Launching executable files and scripts that attempt to download or run files
  • Running obfuscated or otherwise suspicious scripts
  • Performing behaviors that apps don't usually initiate during normal day-to-day work

Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe."

Does Sophos Intercept X Endpoint have equivalent controls?

Thank you,

Matt



This thread was automatically locked due to age.
Parents
  • Hi Matthew,

    Thanks for reaching out to us. 

    I was able to locate information on some of the techniques you mention in your post, in the following "Exploits Explained" document. This outlines which observed behaviors will generate which detection. 

    With that being said, the XDR Detections page under Threat Analysis Center will keep track of any activity that matches MITRE attack classifications to give you more insight as to what is going on in your environment. Some information on this can be found at the link below.
    - XDR Detections

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Matthew,

    Thanks for reaching out to us. 

    I was able to locate information on some of the techniques you mention in your post, in the following "Exploits Explained" document. This outlines which observed behaviors will generate which detection. 

    With that being said, the XDR Detections page under Threat Analysis Center will keep track of any activity that matches MITRE attack classifications to give you more insight as to what is going on in your environment. Some information on this can be found at the link below.
    - XDR Detections

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data