Ransomware protection that SEP uses against living-off-the land techniques
Symantec Endpoint Protection (SEP) 14.3 RU3 includes enhancements that protect your client computers against living-off-the-land (LotL) tools. Living-off-the-land tactics—where attackers take advantage of native tools and services already present on targeted systems—have been used by both targeted attack groups and common cyber criminal gangs.
Symantec Endpoint Protection uses the following technologies to protect against targeted ransomware threats that use these living-off-the-land techniques.
Network protection technologies
- Detection of suspicious process chains that are used in targeted ransomware attacks.
- Telemetry enhancement that sends alerts when ransomware or pre-ransomware tools impacts a new client computer.
- Protection against Cobalt Strike post-exploitation actions and lateral movements.
- Protection against high-prevalence malware such as IcedID.
File inspection technologies
- Protection that encrypts Office Open XML (OOXML), Windows Management Instrumentation (WMI), dotnet, and XLM with Antimalware Scan Interface (AMSI).
- Microsoft PowerShell emulation heuristic improvements that use AMSI disable techniques to detect malware.
- Enhanced command-line heuristics to protect against ransomware and Cobalt Strike hacking tools.
- Added PE Emulator post scan support to improve detections of malware with junk loop and anti-emulation tricks.
- Visual Basic (VB) and dotnet emulator enhancements to protect against malware like Mass Logger, FormBook, and Agent Tesla.
- Implemented the Microsoft Office Scanner to detect VBA stomping and the non-PE dropper like Hancitor.
- Includes a common parser to support VBA extraction and emulation from the Microsoft Publisher and Microsoft Access files.
- Enhanced the AMSI and Script Emulation string scan to identify and remediate LotL malware like IsErIk.
- Enhanced credential theft protection by stripping the read access on lsass.exe.
- Enhanced ransomware protection by locking down file write access when ransomware detections are triggered on trusted processes.
- Enhanced process tracking for the parent process spoofing technique.
- Detection on process hollowing techniques by comparing the entry point address of the main thread with the entry point address that is parsed from the on-disk file.
- Detection of suspended process creation.
- Behavior detection for high-profile ransomware such as Ryuk, REvil/Sodinokibi, Conti, Darkside, Burglar, and Lorenz.
- Generic ransomware pre-encryption behavior detection and post-encryption detection that leverages the new attributes for the file rename event.
- Behavior detection of the Cobalt Strike post-exploitation actions and lateral movements, and memory detection for the Cobalt Strike beacon.
- Behavior detection of the DLL refreshing and the process injection techniques by using the SetThreadContext function and permission flags at process handle opening.
- Behavior detection of Microsoft Office Excel and Microsoft Office PowerPoint threats.
- Symantec Endpoint Detection and Response (SEDR) visibilities that convert a few of the SONAR Behavioral Policy Enforcement (BPE) detections to Advanced Attack Techniques (AAT).
- New ACM events on LoLBins.