The modern threat landscape is rapidly evolving, with new attack strategies being employed at greater frequency and volume than we have seen in the past. One such tactic we have recently observed across many advanced malicious attacks is the use of harmful command lines within the attack chain to bypass file-based detections. A common technique involves using legitimate programs like powershell.exe or cmd.exe to execute malicious actions, such as downloading and running a payload or initiating a harmful script. Today we will discuss how Microsoft Defender for Endpoint protects against these threats by scanning and blocking malicious command lines. While this capability is already generally available, it continues to benefit from improvements to its machine learning models.
Defender for Endpoint uses advanced machine learning models to automatically scan, analyze, and classify command lines. Malicious command lines are blocked instantly within the client, while suspicious ones are sent to the cloud for further analysis using Microsoft’s freshest signals, most up-to-date threat intelligence, and advanced detection methods - including the CommandLineBerta model. This model evaluates suspicious command lines to determine the probability that they are malicious. If they are classified as malicious, they are blocked. What differentiates this machine learning model from others is that it can classify any command line, unlike models that are trained for specific subsets like PowerShell or Windows Management Instrumentation (WMI) command lines. As a result, it provides protection against a wide variety of malicious command lines. The CommandLineBerta model is regularly updated to stay ahead of emerging threats and is particularly effective against LoLBin (Living off the Land Binary) attacks, where adversaries use legitimate programs within the victim's machine to achieve their malicious goals.
Here are a few other examples of command lines blocked by CommandLineBerta:
- Malicious coin miners which use long command lines containing wallet addresses.
- Malware that uses command lines to execute malicious code hosted on public websites such as Pastebin or Github.
- Command lines that run malicious scripts like PowerShell, Wscript, VBScript etc.
- Malware that tampers with security software to avoid detection.
- Malware that executes Dynamic Link Libraries (DLLs) with custom exports.
When any malicious command line is blocked, Microsoft Defender for Endpoint surfaces an alert on the Microsoft Defender XDR portal and provides a notification of blockage on the affected device.
With cyberattack data from over one billion protected endpoints and one of the most robust threat intelligence clouds that exists today, Microsoft is uniquely positioned to identify and respond quickly to attack strategies like malicious command lines.
More information:
- Learn more about the advanced technology at the core of Microsoft Defender Antivirus.
- Get started with Microsoft Defender for Endpoint.
- Learn about what’s new in Microsoft Defender for Endpoint.
Microsoft
