Protect your Microsoft environment using free built-in features
Nowadays, programs and applications that are used contain more and more lines of code, which might contain a high number of mistakes done by the developers. These mistakes present vulnerabilities that can be exploited by threat actors as memory-based attacks.
From the beginning of the new millennium, Microsoft protects its users and devices from memory-based attacks with a high number of tools. Newer tools developed in the last few years, like Code Integrity Guard (CIG), Arbitrary Code Guard (ACG), Control Flow Guard (CFG), and Shadow Stack provide a much better security as tools developed in the past, like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Of course, there are also 3rd party solutions that can be used for improving the cybersecurity posture of your environment.
Not only are you able to protect your environment from memory-based attacks by using modern Microsoft solutions, but also from data loss, leak, exposure and theft, malicious software, stolen credentials, and more.
Microsoft solutions are part of all Microsoft modern operating systems and offer a great deal of protection if they are configured correctly. You can create a secure environment using only the correctly-configured Microsoft solutions. At NIL SOC we have a team of experienced and security-certified experts who are willing to help you secure your environment and minimize the cybersecurity risk.
Introduction
Operating systems and applications are becoming more and more sophisticated, which means that there is a higher chance of mistakes by the developers. Mistakes that are done by the developers originate from the code, while the present vulnerabilities can be exploited and used by threat actors. One of the main types of attacks which originates from the aforementioned mistakes is a memory-based attack. Memory-based attacks are very popular and can have a deep and wide-ranging impact on systems. According to the 2019 MITRE report, memory-based attacks are the most extensive, damaging, and by far the highest-ranking software weakness. Most of the attacks are targeting Microsoft operating systems and applications, so we are sometimes under the impression that Microsoft tools are among the most unsafe and vulnerable software applications. The truth behind the matter is that Microsoft tools are the most prevalent with the highest market share and therefore, it can be expected that they are the most targeted. Well, it is true that because of their legacy and usability, some of the older versions were indeed vulnerable and Microsoft advised against the usage of some technologies (SMBv1) long before they were abused in devastating cyber-attacks. But as the famous quote from Lord of the Rings says “the world has changed,” and the modern Microsoft environment can be very safe. We are going to explore the solutions for mitigating memory-based attacks and some other nifty Microsoft security solutions that are built in the Enterprise Windows OS and are therefore essentially free for most organizations.
Late Methods for Mitigation of Memory-Based Attacks
In 2020, Windows OS has the highest market share for endpoint devices, excluding Internet of Things (IoT) and Operational Technology (OT) devices. To protect devices running on the Windows operating system from memory-based attacks, Microsoft offers quite a few solutions that can be used.
Let’s begin by looking at which tools for mitigation of memory-based attacks existed in the past. In the early 2000s, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) were developed. ASLR prevents the exploitation of memory-corruption vulnerabilities by randomizing the base address of a program each time the program is executed, which prevents one exploit to be effective on all machines. The weakness of ASLR is that the entire program is moved as one unit. DEP on the other hand prevents attacks that try to execute the code from parts of the system memory which are reserved for authorized programs. Executing the code from the reserved parts of memory could result in a code injection and privilege escalation.
A very popular tool among security practitioners and recommended by SANS for preventing vulnerabilities in software from being successfully exploited was the Enhanced Mitigation Experience Toolkit (EMET). EMET used 12 specific mitigation techniques, including DEP, ASLR, certificate trust pinning, and so on. Once EMET was installed, it was required to configure it to protect a specific piece of software. EMET is not as widely used nowadays as the end of life was in 2018 and is not compatible with the latest Windows versions.
New Features from Microsoft for Mitigation of Memory-Based Attacks
Now that you are more familiar with some quite old security features for mitigation of memory-based attacks from the past, we should take a look at the security features that Windows 10 offers now. New features available that supplement the older solutions are Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG) modules, which are used to prevent the generation of arbitrary code, and Control Flow Guard (CFG) and Shadow Stack, which are used to prevent control-flow hijacking.
A typical buffer overflow attack exploits a mistake made in the code. When a developer writes the code and provides an input function for some parameters (keyboard, command line parameters, web URI call, etc.), they should validate the length of an input field. If validation of the input field is not performed and direct copy functions are used, the program is prone to memory exploits. When a program executes the code, it puts parameters and returns address on the stack and the threat actor by providing a longer parameter as intended, thus achieving an overwrite of the memory, which provides a new return address and the execution of an arbitrary malicious code.
CIG refuses all improperly signed executable images from loading and prevents untrusted child process creation. For monitoring process creations, it takes an advantage of the user mode code integrity policies, which are checked at the process creation. CIG only takes care of untrusted child processes and makes sure that only the signed DLLs can be loaded, but it does not provide any guarantees for the state of the code after it is loaded into the memory. This is where ACG steps in. When ACG is enabled, Windows’ Kernel prevents a process from creating or modifying the code pages in the memory. When CIG and ACG are enabled, a process can only map the signed code pages into the memory.
A newer technology, which is an extension of DEP and ASLR, is the Control Flow Guard (CFG). CFG protects systems from memory corruption vulnerabilities by placing tight restrictions on where indirect function calls can execute from, and it also identifies the set of functions in the application that could be the potential targets. It creates a per-process bitmap where a set bit indicates that an address is a valid destination for an indirect function call.
A new generation feature for the prevention of control-flow hijacking is Shadow stack. Shadow stack is currently in the development stage in cooperation with Intel. Shadow stack protects the function’s return address because it can be hijacked to target the threat actor’s defined address instead. How Shadow stack works is quite straightforward. It uses a second stack called shadow stack, which is protected from tampering by using the processor functions. In the code function’s prologue, the function stores its return address to the call and the shadow stack. In the function’s epilogue, return addresses are called from both the calling stack and the shadow stack, and the addresses are compared. If the addresses differ, the processor signals a protection exception.
3rd Party Solutions for Mitigation of Memory-Based Attacks
Other commercial solutions provide an additional layer of security for mitigation of memory-based attacks, like McAfee’s Application Control, Virsec Application Memory Firewall, and RunSafe Security Alkemist. But as we can see, built-in features, if enabled, offer quite good protection and customers should assess their situation and determine if they need standalone solutions.
Additional Microsoft Solutions for Improving the Environment
Besides the mitigation of memory-based attacks, the latest Windows version offers plenty of solutions to protect Windows-based devices. The solutions are divided into three groups that cover identity and access management, threat protection, and information protection.
Credentials theft attack means that with proper privileges (debug privileges), a threat actor can access the credentials stored in the memory of an attacked system. If an endpoint is not properly configured and security-hardened, the odds of successful credential dumping increase. One of the most popular tools to utilize in credential dumping is Mimikatz and its derivatives. By using the Hyper-V feature and hardware security, Windows offers a virtualization-based secure environment in which a secure region of the memory is isolated and not available to the normal operating system. One of the tools which takes advantage of Virtualization-based security (VBS) is a Credential guard (CG). The credential guard uses VBS to securely store credentials and other secrets in an isolated area of memory, therefore making them unavailable to dump from memory.
On the threat protection front, Microsoft Defender for Endpoint is the next-generation threat protection module. In addition to classical advanced threat protection used in Microsoft Defender Antivirus, it gathers data from endpoint behavioral sensors, which are integrated into Windows, but it also uses the power of the cloud and knowledge from the threat intelligence feeds, and combines everything and presents you with a tool that can greatly improve the protection of your environment, and then alerts you when abnormal actions occur. The latest data from independent institutions that compare AV solutions suggests that for most organizations, there is no need to spend extra money on a standalone antivirus solution.
The last group of features is aimed at protecting information. A BitLocker Drive Encryption protects organizations from data exposure and theft. To take the most of BitLocker, you must use it with a Trusted Platform Module (TPM), which ensures that the computer did not tamper with data while the system was offline. To stop any accidental data leaks, Windows offers Windows Information Protection (WIP). WIP uses a set of custom policies to manage secure company data, and it also provides an ability to remove access to enterprise data from the enterprise and private devices without modifying private information stored on the devices.
Conclusion
To sum up, the latest Microsoft Windows offers plenty of built-in solutions to secure your environment. You can see that by using and correctly configuring only Microsoft solutions, you can protect your devices from memory-based attacks, securely use secrets and credentials, and also protect data from being exposed, leaked, lost, or stolen. Of course, there are still standalone solutions on the market that are more appropriate for some organizations, but Microsoft made a “quantum leap” in the ability to secure the environment.
At NIL SOC, we have a dedicated team of experienced and security-certified experts (MCSE, CQURE Certified Windows Security Master, GCFA, OSCP, etc.) to address and explore Microsoft security features. If you would like to implement those neat features and you have a lack of knowledge, our security experts can help you with protecting your environment by using the above mentioned features and by performing an additional security hardening.
Author: Jakob Premrn, Security Analyst and Consultant at NIL SOC
The advantages of cloud-based SIEM and Azure Sentinel
Standard SIEM solutions are relatively expensive, demanding to maintain, and rigid. The cloud-based SIEM systems can successfully solve these problems, while also bringing along many more functions. This webinar talks about Azure Sentinel, cloud-based SIEM by Microsoft, and its key advantages and properties. You will also see how Azure Sentinel works in a demo attack.