One thing most malware must do is reach out for further instructions to its command & control (C2) server. Microsoft is attempting to stop a number of attacks in their tracks by catching this traffic.
The Microsoft Defender for Endpoint (MDE) security platform has recently added a new feature to it that alerts administrators when a malicious connection is established. It is capable of killing the connection and logging the details for further evaluation.
The new feature, according to BleepingComputer, is currently in a public preview.
Earlier detections
With the new feature enabled, the Defender for Endpoints Network Protection agent will map all of the outbound connections IP addresses, ports, hostnames, and other information from Microsoft Cloud. If it spots a connection the AI-powered scoring engines consider malicious, the tool will stop it, and roll the malware binaries back to avoid further damage.
It will then add a log, stating that Network Protection had halted a potentially C2 connection, which the SecOps teams may later evaluate.
"SecOps teams need precise alerts that can accurately define areas of compromise and previous connections to known malicious IPs," says Oludele Ogunrinde, the Senior Program Manager for MDE.
"With the addition of Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks early in the attack chain, minimize the spread by quickly blocking any further attack propagation, and reduce the time it takes to mitigate by easily eliminating malicious binaries."
Users must have Microsoft Defender Antivirus activated for real-time and cloud-delivered protection. Moreover, they need MDE in active mode, network protection in block mode, and engine version 1.1.17300.4.
One of the preview releases has gone, and the new version will be available on Windows 10 1709 and newer, Windows Server 1803, and Windows Server 2019.
Via BleepingComputer (opens in new tab)