Microsoft: Detecting in-memory attacks with Sysmon and Azure Security Center
In-memory attacks are on the rise and attracting increasing attention, as reported, for example, in these posts, SentinelOne: In memory attacks loom large, leave little trace, Hunting in memory, and Hunting for in-memory .NET attacks.
These attacks involve the attacker carrying out malicious activities entirely in-memory, rather than writing a file to disk – as is common with more traditional Trojans or implants found in many malware infections. The CSO article titled “How hackers invade systems without installing software” provides a good overview.
Detection can be challenging because in-memory attacks often leave little to no footprint in many of the standard operating system event logs. Although many anti-virus solutions support some level of in-memory protection, they are often most-effective at detecting threats in malicious files on disk – and there are none in the in-memory scenario.
In this post, we will describe two in-memory attack techniques and show how these can be detected using Sysmon and Azure Security Center.
The attack The attacker strategy in this example is as follows:
The first two stages of this attack chain involve in-memory techniques:
Initial compromise – process injection
The victim is tricked into enabling macros in a Microsoft Office Word document delivered via email.
Read the entire article here, Detecting in-memory attacks with Sysmon and Azure Security Center | Blog
Via the fine folks at Microsoft.