Behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection (ATP) use protection engines that specialize in detecting and stopping threats by analyzing behavior. One of these engines leverages insights from Antimalware Scan Interface (AMSI), which has visibility into script content and behavior, and pairs of machine learning models on the client and in the cloud working together to detect and stop malicious scripts post-execution.
These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, such as BloodHound and Kerberoasting attacks.
To learn more, read our latest blog post: Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning.
Microsoft