LSASS credential-dumping security September 8, 2022 (PDF): https://www.av-comparatives.org/wp-content/uploads/2022/09/avc_sp_lsass_ms_2022.pdf
Actually, seem like hackers have figured out a way to bypass protection, see quote. https://www.microsoft.com/security/...ng-dev-0270-phosphorus-ransomware-operations/
If someone else can execute a reg add to HKLM nothing else matters at that point. You're already hosed.
I have to disagree, because that's where behavior blockers come into play. So even if AV is already bypassed, it's supposed to block usage of LOLBins to dump LSASS credentials. That's why I have always been fascinated by behavior blockers because they are supposed to protect the system post execution, while it's the job of AV to block the malware from running at all, in other words pre execution. Of course, in big corporations behavior blocking is done with so called EDR systems.
Even if I were to agree that a behavior blocker is a good thing after you are already exploited, if they can write to HKLM they can fully take over the entire machine on the next reboot if they inserted the correct things into the registry. There is no good enough protection after the fact. A full re-image is in order ASAP.
No, that's not the way I understood it. The biggest problem is not adding certain regkeys, it's the LOLBins that are then used to steal credentials, this should be tackled by BB's. Of course you can also monitor regkeys, but there are too many that can be abused, just look at AutoRuns. And this would result in too many alerts which leads to alert fatigue, so you need to find the right balance.
I don't disagree but I don't think I am effectively communicating my point. HKLM requires admin privilege. If you can write to it then you have already exploited the machine with admin privileges. You already have full control at this point. Your security solution has failed and someone has admin abilities on your system. If they want to steal data and they know how they can probably get it regardless.
Yes but that's what I'm trying to explain, behavior blockers like Win Defender ATP should be able to tackle this even if the attackers already has admin privileges. In this particular attack they try to disable Win Defender AV and Windows Firewall and use LOLBins to perform many malicious actions, and this is exactly what EDR's should be able to spot. So just because remote attackers have infiltrated quite deeply into the computer network and have admin access on many endpoints, doesn't always mean it's game over. But of course securing a computer network is way more complex than securing home user PC's, I'm fully aware of that. But behavior blockers should be able to tackle malware even if they have admin privileges, that's my point.
