FireEye Stories

Protecting Against HAFNIUM With FireEye Endpoint Security Process Guard Module

In March 2021, Microsoft announced an active global campaign named HAFNIUM targeting Microsoft Exchange servers with a chain of four zero-day vulnerabilities. According to Microsoft, a threat group or groups was able to exploit these vulnerabilities, which allowed them to gain initial access to targeted machines and deploy web shells. Once the web shells were established, operators used credential dumping techniques to gather credentials and exfiltrate information that can be used for further privilege escalation and lateral movement within targeted organizations.

For more information about this ongoing campaign, please see our detailed analysis blog post.

Credential Dumping

Credential dumping (MITRE ATT&CK® technique: T1003.001) is a method of collecting user credentials stored in memory and is a popular technique used by many state sponsored APT and financially motivated (FIN) groups today. Once threat actors obtain these credentials, they can be used to facilitate lateral movement and privilege escalation within a compromised network.

Computers rely on credentials for many critical functions, including verifying users logging in to the device, managing password changes, and creating access tokens. On a Microsoft Windows device, Microsoft Windows Local Security Authority Subsystem Service (LSASS) is the process responsible for enforcing security policy. For LSASS to function properly, various dynamic link libraries (DLLs) are loaded in memory when the device starts, and those DLLs have access to unencrypted and plaintext passwords. Once loaded into memory, various freely available tools such as procdump and Mimikatz can be used to dump the memory or write the memory contents of LSASS to disk in an unencrypted file. The resulting file will then contain credentials that a threat actor can use to escalate privileges and/or move laterally within an organization. Figure 1 shows a successful credential dump on an endpoint using the procdump application.


Figure 1: Using Procdump to successfully dump credentials

Process Guard for FireEye Endpoint Security

Process Guard for FireEye Endpoint Security can help prevent the critical step of credential dumping and deter any forward progress operators hope to make. By preventing the dumping and exfiltration of credentials, even unpatched and compromised organizations would have a level of protection against this type of attack. The following video shows Process Guard in action.


Process Guard for FireEye Endpoint Security prevents attackers from obtaining access to credential data or key material stored within the Windows Local Security Authority Subsystem Service (LSASS) process, thus helping to protect endpoints against common credential theft attacks. Process Guard is a lightweight, efficient module that can be deployed to individual hosts, host sets, or all hosts in an environment directly from the FireEye Endpoint Security console.

The Process Guard module for FireEye Endpoint Security is an Innovation Architecture (IA) module developed based on FireEye’s extensive front-line experience investigating and responding to the largest, most sophisticated breaches around the world. Our unique modular approach allows customers to rapidly deploy innovative components to address ever changing tactics, techniques, and procedures (TTPs) used by today’s threat actors. Figure 2 shows Process Guard successfully preventing a credential dumping attempt using the procdump tool.


Figure 2: FireEye Endpoint Security Process Guard module successfully preventing credential dumping

The Process Guard module provides the ability to:

  • Enable/Disable LSASS process protection
  • Enable/Disable BLOCK on detection capability
  • Add Exclusions for allowed applications
  • View Process Guard events
  • Integrate with the Enricher module
  • Generate Alerts

Alerts from Process Guard will show up on the Alerts page on the Endpoint Security console with an Alert Type of PG, as shown in Figure 3. Clicking on an individual alert will bring you to the Hosts page to reveal specific details of the alert.


Figure 3: Alerts generated in the Endpoint Security console

Summary

Credential dumping is a widely used technique by threat actors today and was even used as part of the recent global attack on unpatched Microsoft Exchange Servers. Deploying and enabling Process Guard for FireEye Endpoint Security can help strengthen your security posture and reduce the attack surface in your organization.

Existing FireEye Endpoint Security customers have access to the Process Guard module at no additional charge and can download and deploy it today from the FireEye Market. Modules, release notes, and user guides are all available now.