[German]Just a short security note. Security researchers have found an approach to trick and evade/circumvent the protection or detection of attacks on the theft of credentials.
Advertising
Microsoft Defender ATP provides advanced security breach detection sensors (see also here). Windows Defender Credential Guard also provides virtualization-based security in Windows 10. Any attempt to read logon information from memory using Mimikatz and Co. should therefore be detected and reported as a threat.
Defender ATP Credential-Theft
I just came across the following tweet, which deals with an approach to bypass the protection mechanisms of Microsoft Defender ATP to detect and warn against the theft of credentials.
Evading WinDefender ATP credential-theft: a hit after a hit-and-miss start.
tl;dr PssCaptureSnapshot syscall clones the process then you don't need to do ReadProcessMemory against the original process and avoid LSASS read detection.https://t.co/Z4pc45xrqU— scriptjunkie (@scriptjunkie1) December 2, 2019
The linked article shows how to steal login information. And a suggestion is made to monitor with Sysmon LSASS and check every eventID 10 if there is an attempt to steal credentials. If you are interested in the topic, you will find the relevant details in the article. At the moment I cannot judge how practical the whole thing is.
The current status is that the vulnerability was reported to the Microsoft Security Response Center MSRC on November 2, 2019. The MSRC announced on 12.11.2019 that the whole thing does not fall into a bug bounty program and wanted to analyze the whole thing and then approach the security researchers. In spite of two reminders, this did not happen, so that the discoverers of the vulnerability published it on December 2, 2019, after the 30-day period of silence had expired.
Advertising
Advertising
