Overview
Update - 11/10/2022 - Network Protection command and control (C2) detection and remediation capabilities are now generally available in Microsoft Defender for Endpoint.
We are excited to announce the general availability of Network Protection command and control (C2) detection and remediation capabilities in Microsoft Defender for Endpoint. These enhancements will help improve the time it takes security operations (SecOps) teams to pinpoint and respond to malicious network threats looking to compromise the endpoint.
Attackers often compromise existing internet-connected servers to become their command and control servers. In the event these servers become compromised, attackers use them to hide malicious traffic and deploy malicious bots used to infect endpoints. Let’s say - in an attacker's ideal scenario - their malicious bots somehow manage to circumvent an organization's existing defenses. In that breach the malicious bots introduce malware into an organization’s environment through a user’s device. The malware can be introduced in a number of ways: from clicking a fraudulent link, downloading a suspicious file, or opening a seemingly legitimate email attachment. If an endpoint contracts any of these types of C2 malware, the compromised computer can communicate back with the malicious C2 servers, completely unbeknownst to the user (Figure 1). The response communication from the endpoint to the C2 server enables the attacker to gain full control of the endpoint.
This is problematic for security teams as many other unprotected devices that communicate with the previously infected endpoint can become compromised themselves. This can potentially lead to a spread of malware across a network, often referred to as a “botnet” infection.
Figure 1: Sample C2 attack flow
To quickly detect and clean up these botnet infections, SecOps teams need precise alerts that can accurately define areas of compromise and previous connections to known malicious IPs. With the new capabilities in Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries.
Prerequisites
- Windows devices (Builds Windows 10 version 1709 or later)
- Windows Server 1803, Windows Server 2019 or later.
- Your organization uses Microsoft Defender Antivirus with real-time protection and cloud–delivered protection enabled (active). See Microsoft Defender Antivirus real-time protection and Use cloud-delivered protection.
- Microsoft Defender for Endpoint must be in active mode.
- Network protection must be enabled in block mode (Turn on network protection | Microsoft Learn).
- Engine version is 1.1.17300.4 or later.
See Protect your network for the full list of requirements.
How does network layer C2 detection and remediation work?
Detecting and blocking C2 connections at the network layer
This capability works by inspecting network packets and examining them for any types of C2 malware configuration patterns. The Network Protection (NP) agent in Defender for Endpoint determines the true nature of the connection by mapping the outbound connection’s IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. If our AI and scoring engines powered by the cloud deem the connection malicious, actions are taken to block the connection and malware binaries are rolled back on the endpoint to the previous clean state.
Generating incident and alert notifications in the Microsoft 365 Defender portal
After detection, an alert will surface under “Incidents and alerts” in the Microsoft 365 Defender portal (Figure 2) where the SecOps team can observe the alert name, the severity-level of the detection, device status, and other details. Customers can see more details on the alert with a full timeline and attack flow relative to their environment (Figure 3).
Figure 2: Alert page in the Microsoft 365 Defender portal
Figure 3: C2 attack flow timeline in the Microsoft 365 Defender portal
Testing/Validation: C2 detection and remediation
Once network protection has been enabled, you can test this C2-enhanced protection experience in your environment (using PowerShell) by:
a. Navigate to your PowerShell prompt.
b. Type: $Response = Invoke-WebRequest -URI https://commandcontrol.smartscreentestratings.com
c. If the testing URL is successfully blocked, you will get (Figure 4):
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
At line:1 char:13
+ $Response = Invoke-WebRequest -URI https://commandcontrol.smartscreen ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Figure 4: PowerShell output
d. Followed by a block notification (Figure 5).
Figure 5: Endpoint notification
e. On the block notification, click:
- “OK” to make the toast notification disappear
- “Feedback” to open the network protection feedback page where can submit feedback to the Antimalware and Cybersecurity portal (Figure 6).
Figure 6: Web threat detections over time
f. In the unlikely event the testing URL is not successfully blocked, you can get aka.ms/MDEClientAnalyzer and/or F12 network trace, then send the NP team (NP_C2_Support_Team@microsoft.com) your screenshot.
Accessing the C2 detection and remediation report in the Microsoft 365 Defender portal
To access the report:
1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
2. Navigate to:
- Reports -> Security report -> Devices ->
- Web threat detection over time (Figure 7)
- Web threat summary (Figure 8)
- Reports -> Web Protection ->
- Web threat detection over time (Figure 7)
- Web threat summary (Figure 8)
Figure 7: Web threat detections over time
Figure 8: Web threat summary
Your feedback counts
We are excited to bring you a new enhancement to the Network Protection stack to further protect against command and control attacks. Try out this new capability and let us know what you think. Share your feedback with us at NP_C2_Support_Team@microsoft.com