cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Soiluyen
Level 7
Report Inappropriate Content
Message 1 of 10
‎11-29-2022 12:58 AM

Can I use adaptive threat prevention(ATP) to block read password in memory dump file?

Hello everyone,

I want use ATP to block trojan, malware access and read password in memory dump file, but I'm worried about blue screen error when the system can't boot because the memory can't be read. I want to ask if ATP can block, and if so, what rule should I activate, and prevent blue screen error. if can, please share me expert rule or kb can block trojan, malware access and read password in memory dump file.

Thank you so much!

0 Kudos
Reply
9 Replies
rfranci
Employee
Employee
Report Inappropriate Content
Message 2 of 10
‎11-29-2022 07:54 AM

Re: Can I use adaptive threat prevention(ATP) to block read password in memory dump file?

Hi @Soiluyen 

You have too many options for this.

1. ENS Threat prevention Exploit prevention signature : 6154, 6143, 6117, 6116, 6122, 6078.

6154  T1003 - LSASS memory read attempt to dump Credentials

6143 - T1003 - Attempt to Dump Password Hash from SAM Database

6117 - T1003 - Mimikatz LSASS Suspicious Memory DMP Read

6116 - T1003 - Mimikatz LSASS Suspicious Memory Read

6122-T1003 - Fileless Threat : Reflective Loading of mimikatz using DotNetToJScript Technique

6078 - T1003 - Mimikatz usage

2. Enable Access protection rule : Executing Mimikatz malware

3.In ENS ATP options policy enable : Credential Theft Protection

4. In EPO Server settings go to 'adaptive threat protection' -> edit -> enable rule ID 511 (Detect attempts to dump sensitive information via registry or lsass ).

Apart from this we have ATP rule ID 217 enabled by default to Identify a suspicious password stealer.

I hope this helps!

-Rohit Francis 
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Reply
Soixam24
Level 9
Report Inappropriate Content
Message 3 of 10
‎11-29-2022 06:02 PM

Re: Can I use adaptive threat prevention(ATP) to block read password in memory dump file?

Thank rfranci very much, I will make follow your recommend. 

Thank you and good day!

0 Kudos
Reply
Soixam24
Level 9
Report Inappropriate Content
Message 4 of 10
‎12-01-2022 01:27 AM

Re: Can I use adaptive threat prevention(ATP) to block read password in memory dump file?

Hi rfranci,

I had enable list signature of exploit prevention and ID 511 of ATP follow your recommencd, then I perform run tool Mimikatz, ATP block ok, but when I open powershell and run command line: "reg save hklm\system system" and "reg save hklm\sam sam", then I analyzer san file and system file, I still readable password, ATP and exploit prevention not report or block. can you please share me the way to block when perform run reg save hklm\system system and reg save hklm\sam sam on powershell, prevent read password in registry

Thank you so much!

 

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 5 of 10
‎12-01-2022 10:07 AM

Re: Can I use adaptive threat prevention(ATP) to block read password in memory dump file? 

Rule {
	Target {
		Match PROCESS {	
			Include OBJECT_NAME { 
				-v "reg.exe"
			}			
			Include PROCESS_CMD_LINE {
				-v "**export HKLM\\SAM**"
				-v "**export HKLM\\SYSTEM**"
				-v "**export HKLM\\SECURITY**"
				-v "**save HKLM\\SAM**"
				-v "**save HKLM\\SYSTEM**"
				-v "**save HKLM\\SECURITY**"
			}
			Include -access "CREATE"
		}
	}
}
0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 6 of 10
‎11-29-2022 10:01 AM

Re: Can I use adaptive threat prevention(ATP) to block read password in memory dump file?

There is a lot that complicates this. The biggest issue is that you don't need to necessarily dump to disk or dump to a .dmp file. I would definitely enable all the rules that are recommended, but then I would also implement a couple of rules like the following to prevent exposure. 

I'll direct message you a couple of rules you can use that will reduce most further exposure points.

 

 

 

 

Reply
Soixam24
Level 9
Report Inappropriate Content
Message 7 of 10
‎11-29-2022 06:04 PM

Re: Can I use adaptive threat prevention(ATP) to block read password in memory dump file?

Thank Daveb3dReport,

Can you please send for me couple of rules to my email: **personal information omitted**? 

Thank you and good day!

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 8 of 10
‎11-30-2022 06:05 AM

Re: Can I use adaptive threat prevention(ATP) to block read password in memory dump file?

It didn't put your email address in.  I sent the rules to you in a private message on here.  If you need it emailed, you'll have to obfuscate your email address a bit to allow it to be posted it seems.

Reply
Soixam24
Level 9
Report Inappropriate Content
Message 9 of 10
‎03-08-2023 06:17 PM

Re: Can I use adaptive threat prevention(ATP) to block read password in memory dump file?

Dear Sir,

please send me expert rule of exploit prevention can block read password in memory dump file or export SAM file from registry.

please send to my mail address. I attach my email image bellow.

 

Thank you so much!

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 10 of 10
‎03-09-2023 07:51 AM

Re: Can I use adaptive threat prevention(ATP) to block read password in memory dump file?

For starters, ATP will stop task manager from dumping LSASS.  The following rule will expand coverage for you.  You can build it out further yourself.

Rule {
	Process {
		#Block Untrusted Processes.  DAC Must be set to contain at Unknown.
		Include AggregateMatch {
			Include PROCESS_STATE_BITS -name DAC_CONTAIN_PID_BITS { -v 0x1 }
			#Exclude CERT_NAME_CHAINED {
			#	-v "ADD CERT EXCLUSIONS HERE"
			#}
		}
		#scripts
		Include AggregateMatch {
			Include OBJECT_NAME {
				-v "powershell.exe"
				-v "wscript.exe"
				-v "cscript.exe"
			}
			#Exclude PROCESS_CMD_LINE {
			#	-v "ADD CMD LINE EXCLUSIONS HERE"
			#}
		}
		#Procdump, reg and Python 
		Include AggregateMatch {
			Include DESCRIPTION {
				-v "Python"
				-v "Sysinternals process dump utility"
				#This next one is only added to cover reading the registry.  
				-v "Registry Console Tool"
			}
		}
	}
	Target {
		#block reading LSASS
		Match PROCESS {
			Include OBJECT_NAME { -v "lsass.exe" }
			Include -nt_access "!0x0010" 
		}
		#block reg dump
		Match VALUE {
			Include OBJECT_NAME {
				-v "HKLM\\SAM\\**"
				-v "HKLM\\Security**"
			}
			Include -access "READ"
		}
	}
}

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC