One thing most malware has to do is request additional instructions from its command and control (C2) server. By intercepting this traffic before information can be exchanged, Microsoft hopes to stop many attacks dead in their tracks.
The company recently added a new feature to its Microsoft Defender for Endpoint (MDE) security platform that notifies administrators when a malicious connection is made. It is able to remove this connection and save the details for later evaluation.
As reported by BleepingComputer, the new feature is currently in public preview.
Previous detections
With the new feature enabled, Defender for Endpoint's Network Protection (NP) agent will map all IP addresses, ports, hostnames, and other data on the outgoing connection, with data from the Microsoft Cloud. If it detects a connection that the company's AI-based scoring engines deem to be malicious, the tool will block it and restore the malicious binaries to prevent further damage.
It will then add a record that says "Network protection blocked a possible C2 connection", which can be evaluated by SecOps teams.
"SecOps teams need accurate alerts that can identify compromised areas and previous logins to known malicious IP addresses," said Oludele Ogunrinde, MDE's senior program manager.
"With the new capabilities of Microsoft Defender for Endpoint, SecOps teams can detect C2 network attacks earlier in the attack chain, minimize spread by quickly blocking the spread of additional attacks, and reduce the time required for mitigation. Eliminate easily malicious binaries".
To take advantage of the new feature, users must have activated Microsoft Defender Antivirus with real-time protection and cloud protection. In addition, they require MDE in active mode, network protection in block mode, and engine version 1.1.17300.4.
After the preview rollout is complete, the new feature will be available in Windows 10 1709 and later, Windows Server 1803, and Windows Server 2019.
Via BleepingComputer (Opens in a new tab)