>
One thing most malware needs to do is contact the command & control (C2) server for further instructions. By capturing this traffic before information can be exchanged, Microsoft hopes to stop many attacks.
The company recently added a new feature to its Microsoft Defender for Endpoint (MDE) security platform that alerts administrators when a malicious connection is established. It is able to break that connection and log the details for further evaluation.
As reported by BleepingComputer, the new feature is currently in public preview.
Previous Detections
With the new feature enabled, the Defender for Endpoint’s Network Protection (NP) agent maps all IP addresses, ports, host names, and other outbound connection data with data from Microsoft Cloud. If it detects a connection that the company’s AI-powered scoring engines deem malicious, the tool blocks it and rolls back the malware binaries to prevent further damage.
It then adds a log stating “Network security blocked a potential C2 connection”, which the SecOps teams can evaluate later.
“SecOps teams need accurate alerts that can accurately define the areas of compromise and previous connections to known malicious IPs,” said Oludele Ogunrinde, Senior Program Manager for MDE.
“With the new capabilities in Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks earlier in the attack chain, minimize their spread by quickly blocking any further attacks from spreading, and reduce the time it takes to mitigate through malicious attacks. binaries easily.”
To take advantage of the new feature, users must have activated Microsoft Defender Antivirus with real-time protection and cloud-delivered protection. In addition, they require MDE in active mode, network protection in block mode, and engine version 1.1.17300.4.
Once the preview rollout is complete, the new feature will be available on Windows 10 1709 and later, Windows Server 1803, and Windows Server 2019.
Through BleepingComputer (opens in new tab)