Credential Theft Detection from Windows Memory

Rob Mead & Patrick Ah-Fat

The aim of intrusion detection is to identify attackers who have already intruded a network by circumventing its protection mechanisms. One way of doing so is to look for malicious actions that such attackers may perform within the network. Credentials theft is one such common action and advanced attackers have developed elaborate techniques for extracting credentials from Windows memory. State of the art detection techniques are based on malware detection and as such only alert on particular types of executable files that can perform such techniques. 

In contrast, our work directly targets and analyses the way that a process reads from memory and aims at classifying memory read behaviours as malicious using machine learning. In order to do so, we introduce a novel mechanism for modelling memory read events, which we build on in order to write a detector that is able to alert on attacks that previous detectors were not able to detect. This detector is now running in production and is protecting MDATP customers world-wide. 

Patrick Ah-Fat is a PhD student at Imperial College London under the supervision of Michael Huth. His research focuses on cryptography and privacy. He will present the work that he did at Microsoft as a summer intern. 

Rob Mead is a Principal Software Engineer working in cyber security in the Microsoft Threat Intelligence Center (MSTIC). He works on the detection of techniques used by threat actors such as nation states and cyber crime, which feed into protecting Microsoft customers