• This feature does not support SELinux or AppArmor in Enforced Mode

  • Memory Exploit Protection on Windows can lead to system instability if another security product is enabled on the server. Refer to the Section Working with existing security solution (in the Troubleshooting topic) and contact Virsec technical team for further guidance




VSP Memory Exploit Protection provides protection against two types of attacks:




Memory Injection or Cross-process injection gives attackers the ability to run malicious code that masquerades as legitimate programs. With code injection, attackers don’t use custom processes that can quickly be detected. Instead, they insert malicious code into common processes (e.g., explorer.exe, regsvr32.exe, svchost.exe, etc.), giving their operations an increased level of stealth and persistence.


VSP Memory Exploit Protection protects against external code executing within an authorized process. It is deployed as a VSP-Host component during Probe installation on VMs (Virtual Machines). This feature can be enabled during the Host Profile creation. 




In a typical attack kill chain, attackers often use the tactic of credential access as a precursor to accessing data assets and/or move laterally. A popular technique to achieve this is to dump OS credentials from memory. This involves an attempt to dump credentials to obtain account login and credentials in plain text, but mainly in the form of a hash from the critical operating system and other services. In the context of server protection, this technique is quite relevant for server workloads, since these systems usually have a non-named account that cannot be targeted via attacks like phishing (and its variants) that target users.


Dumping credentials from OS memory is a standard method for malicious actors to extract dump of OS credentials from critical OS services. These dumps can be analyzed locally or out of the band to extract hashes and get plaintext credentials.


One of the most critical services targeted on a Windows server is the Local Security Authority Subsystem Service (LSASS). The Windows system generates and stores various credential material in LSASS process memory. This memory can be dumped using multiple ways from the target host to extract credentials data.


This attack can involve the usage of sophisticated tools like Mimikatz to dump credentials from lsass.exe by targeting lsass.exe memory space and dumping memory. But, this can be executed by many "living off the land" utilities like Windows Task Manager, Process Explorer, etc.


From version 2.6.0, Memory Exploit Protection (MEP) feature on the Virsec Security Platform adds the ability to protect against dumping of memory from the process lsass.exe. With Memory Exploit Protection enabled in the detect mode, VSP alerts the attempts to dump the memory of LSASS processes, whereas in the protect mode, these attempts are blocked and malicious actors will not succeed.