One thing most malware needs to do is reach out for further instructions to its command & control (C2) server. By catching this traffic before any information can be exchanged, Microsoft is hoping to stop many attacks in their tracks.
The company recently added a new feature to its Microsoft Defender for Endpoint (MDE) security platform that notifies administrators when a malicious connection is being established. It’s capable of killing that connection and logging the details for further evaluation.
As reported by BleepingComputer, the new feature is currently in public preview.
Earlier detections
With the new feature enabled, the Defender for Endpoint’s Network Protection (NP) agent will map all of the outbound connection’s IP addresses, ports, hostnames, and other data, with data from Microsoft Cloud. If it spots a connection the company’s AI-powered scoring engines deem malicious, the tool will block it, and roll the malware binaries back to prevent further damage.
It will then add a log, stating “Network Protection blocked a potential C2 connection”, which the SecOps teams can later evaluate.
“SecOps teams need precise alerts that can accurately define areas of compromise and previous connections to known malicious IPs,” said Oludele Ogunrinde, Senior Program Manager for MDE.
“With the new capabilities in Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries.”
To take advantage of the new feature, users need to have Microsoft Defender Antivirus with real-time protection and cloud-delivered protection activated.Furthermore, they need MDE in active mode, network protection in block mode, and engine version 1.1.17300.4.
One the preview rollout is complete, the new feature will be available on Windows 10 1709 and newer, Windows Server 1803, and Windows Server 2019.
Via BleepingComputer (opens in new tab)
