Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks
Message
<blockquote data-quote="Andy Ful" data-source="post: 838495" data-attributes="member: 32260"><p>New features described in the article are related to additional post-execution behavioral detection. So, this is different security from blocking temporarily the suspicious file with delay period (10-60s) and analyzing it in the cloud.</p><p></p><p>This type of security is triggered when the attack uses many non-malicious (but suspicious) actions that can end with running filelessly the malicious payload.</p><p></p><p>For example, the initial file in the infection chain can be an innocent script that downloads a file from the Internet. This action cannot be classified as malicious by the AV without running this script and downloading the file from the Internet (assuming that the URL is fresh & unknown). The downloaded file can be another script that downloads the legal but vulnerable program and some DLL. Again, this action cannot be classified as malicious until both files will be downloaded and analyzed by the AV.</p><p></p><p><span style="color: rgb(184, 49, 47)"><strong>In such multistage attacks, the AV cannot detect the malware until some actions related to the infection chain will be finished. That is the idea of post-execution behavioral detection.</strong></span></p><p></p><p>It is not clear if these new features are fully functional on Windows Home and Pro. But, this can be tested on Malware Hub.</p><p>Behavior-based detections are named according to the MITRE ATT&CK matrix to help identify the attack stage where the malicious behavior was observed:</p><p></p><p style="text-align: center"></p><p></p><table style='width: 100%'><tr><th><strong>Tactic</strong></th><th><strong>Detection threat name</strong></th></tr><tr><td>Initial Access</td><td>Behavior:Win32/InitialAccess.*!ml</td></tr><tr><td>Execution</td><td>Behavior:Win32/Execution.*!ml</td></tr><tr><td>Persistence</td><td>Behavior:Win32/Persistence.*!ml</td></tr><tr><td>Privilege Escalation</td><td>Behavior:Win32/PrivilegeEscalation.*!ml</td></tr><tr><td>Defense Evasion</td><td>Behavior:Win32/DefenseEvasion.*!ml</td></tr><tr><td>Credential Access</td><td>Behavior:Win32/CredentialAccess.*!ml</td></tr><tr><td>Discovery</td><td>Behavior:Win32/Discovery.*!ml</td></tr><tr><td>Lateral Movement</td><td>Behavior:Win32/LateralMovement.*!ml</td></tr><tr><td>Collection</td><td>Behavior:Win32/Collection.*!ml</td></tr><tr><td>Command and Control</td><td>Behavior:Win32/CommandAndControl.*!ml</td></tr><tr><td>Exfiltration</td><td>Behavior:Win32/Exfiltration.*!ml</td></tr><tr><td>Impact</td><td>Behavior:Win32/Impact.*!ml</td></tr><tr><td>Uncategorized</td><td>Behavior:Win32/Generic.*!ml</td></tr></table><p></p><p>Malicious scripts blocked by AMSI-paired machine models are reported in Microsoft Defender Security Center using threat names like the following:</p><ul> <li data-xf-list-type="ul">Trojan:JS/Mountsi.A!ml</li> <li data-xf-list-type="ul">Trojan:Script/Mountsi.A!ml</li> <li data-xf-list-type="ul">Trojan:O97M/Mountsi.A!ml</li> <li data-xf-list-type="ul">Trojan:VBS/Mountsi.A!ml</li> <li data-xf-list-type="ul">Trojan;PowerShell/Mountsi.A!ml</li> </ul></blockquote><p></p>
[QUOTE="Andy Ful, post: 838495, member: 32260"] New features described in the article are related to additional post-execution behavioral detection. So, this is different security from blocking temporarily the suspicious file with delay period (10-60s) and analyzing it in the cloud. This type of security is triggered when the attack uses many non-malicious (but suspicious) actions that can end with running filelessly the malicious payload. For example, the initial file in the infection chain can be an innocent script that downloads a file from the Internet. This action cannot be classified as malicious by the AV without running this script and downloading the file from the Internet (assuming that the URL is fresh & unknown). The downloaded file can be another script that downloads the legal but vulnerable program and some DLL. Again, this action cannot be classified as malicious until both files will be downloaded and analyzed by the AV. [COLOR=rgb(184, 49, 47)][B]In such multistage attacks, the AV cannot detect the malware until some actions related to the infection chain will be finished. That is the idea of post-execution behavioral detection.[/B][/COLOR] It is not clear if these new features are fully functional on Windows Home and Pro. But, this can be tested on Malware Hub. Behavior-based detections are named according to the MITRE ATT&CK matrix to help identify the attack stage where the malicious behavior was observed: [CENTER][/CENTER] [TABLE] [TR] [TH][B]Tactic[/B][/TH] [TH][B]Detection threat name[/B][/TH] [/TR] [TR] [TD]Initial Access[/TD] [TD]Behavior:Win32/InitialAccess.*!ml[/TD] [/TR] [TR] [TD]Execution[/TD] [TD]Behavior:Win32/Execution.*!ml[/TD] [/TR] [TR] [TD]Persistence[/TD] [TD]Behavior:Win32/Persistence.*!ml[/TD] [/TR] [TR] [TD]Privilege Escalation[/TD] [TD]Behavior:Win32/PrivilegeEscalation.*!ml[/TD] [/TR] [TR] [TD]Defense Evasion[/TD] [TD]Behavior:Win32/DefenseEvasion.*!ml[/TD] [/TR] [TR] [TD]Credential Access[/TD] [TD]Behavior:Win32/CredentialAccess.*!ml[/TD] [/TR] [TR] [TD]Discovery[/TD] [TD]Behavior:Win32/Discovery.*!ml[/TD] [/TR] [TR] [TD]Lateral Movement[/TD] [TD]Behavior:Win32/LateralMovement.*!ml[/TD] [/TR] [TR] [TD]Collection[/TD] [TD]Behavior:Win32/Collection.*!ml[/TD] [/TR] [TR] [TD]Command and Control[/TD] [TD]Behavior:Win32/CommandAndControl.*!ml[/TD] [/TR] [TR] [TD]Exfiltration[/TD] [TD]Behavior:Win32/Exfiltration.*!ml[/TD] [/TR] [TR] [TD]Impact[/TD] [TD]Behavior:Win32/Impact.*!ml[/TD] [/TR] [TR] [TD]Uncategorized[/TD] [TD]Behavior:Win32/Generic.*!ml[/TD] [/TR] [/TABLE] Malicious scripts blocked by AMSI-paired machine models are reported in Microsoft Defender Security Center using threat names like the following: [LIST] [*]Trojan:JS/Mountsi.A!ml [*]Trojan:Script/Mountsi.A!ml [*]Trojan:O97M/Mountsi.A!ml [*]Trojan:VBS/Mountsi.A!ml [*]Trojan;PowerShell/Mountsi.A!ml [/LIST] [/QUOTE]
Insert quotes…
Verification
Post reply
Top