We are happy to announce the general availability of endpoint detecting and response( EDR) in block mode in Microsoft Defender for Endpoint. EDR in block mode turns EDR detectings into real-time blocking of malicious behaviors, malware, and artifacts. It employs Microsoft Defender for Endpoint’s industry-leading visibility and detection capabilities and Microsoft Defender Antivirus’s built-in impede function to provide an additional layer of post-breach protection in cases where the primary antivirus misses a threat.

EDR in block mode widens the behavioral blocking and containment capabilities in Microsoft Defender for Endpoint, frustrating attempt chains that could allow attackers to gain a foothold on a machine and, consequently, a network. For each malicious behaviour or malware blocked, EDR in block elevates an alert in Microsoft Defender Security Center, enabling security teams to perform additional investigation and hunting and comprehensively resolve attacks.

Since being available for public preview in August, EDR in block mode has helped customers to stop a wide range of threats, particularly in cases where Microsoft Defender Antivirus isn’t the primary antivirus. Below we describe an IcedID campaign, one of many strikes foiled by EDR in block mode. In this incident, the organization’s non-Microsoft antivirus answer missed the malware, but Microsoft Defender for Endpoint picked up the malicious behaviour. EDR in block mode kicked in and protected the machine from a series of malicious activities that include evasive attacker techniques like process hollowing and steganography that lead to the deployment of the info-stealing IcedID malware.

Diagram showing IcedID attack chain, with labels identifying what stage the attack was stopped

Figure 1. IcedID attack chain stopped by EDR in block mode

How EDR in block mode stopped an IcedID attack

On October 13, attackers launched a new campaign to distribute the IcedID malware. IcedID is a banking trojan that remains in memory, monitors traffic to banking domains and fiscal websites, and steals sensitive financial information. It has also been observed to modify site content to redirect traffic to malicious websites for the same purpose.

As in many past IcedID campaigns, this attack started with an email carrying a malicious attachment, in this case, a password-protected archive file. The emails employed the fake reply technique and contained the password to the archive file.

Screenshot of spear-phishing email used in the IcedID campaign

Figure 2. Spear-phishing email used in the IcedID campaign

The archive file contained a document with malicious obfuscated macro code. When enabled, the malicious macro connects to a remote website to attempt to download the IcedID loader, which would in turn download and run the main IcedID malware.

Screenshot of malicious document and malicious macro codes

Figure 3. Document with malicious macro

In customer environments protected by Microsoft for Defender Endpoint with Microsoft Defender Antivirus as the primary antivirus, the attack was blocked. Microsoft Defender for Endpoint utilizes Anti-malware Scan Interface( AMSI ) and specialized machine learning classifiers on the client and in the cloud to see malicious macro behavior.

In one environment that wasn’t utilizing Microsoft Defender Antivirus, the primary antivirus solution missed the campaign, so when the user opened the document and enabled the macro, the malicious code started connecting to the command-and-control( C2) server. Microsoft Defender for Endpoint’s EDR abilities, however, seen the malicious macro behavior.

Screenshot of Microsoft Defender Security Center alert indicating detection of suspicious behavior

Figure 4. Microsoft Defender Security Center alerting for malicious macro behavior

EDR in block mode, which was enabled on the environment, kicked in and instantly blocked the malicious document, preventing a chain of evasive attacker activities that could have led to the IcedID malware being installed.

Screenshot of Microsoft Defender Security Center alert indicating threat is blocked

Figure 5. Microsoft Defender Security Center alarm for the blocked IcedID malware

The attempt that is likely to be

This IcedID campaign shows why blocking malicious behaviour and onslaughts in real time, especially in the earlier stages of the attack, is critical in preventing the full impact of threats. After gaining access to a machine, attackers brought under sophisticated tools and utilize advanced techniques to operate stealthily on a system.

For example, if the IcedID macro isn’t blocked from running, it downloads a DLL file disguised as a CAB file from hxxp :// h4dv4c1w [.] com/ ryfu/ bary [.] php? l= konu1 3 [.] cab. This DLL file is saved as[ random ]. txt and is executed applying regsvr3 2. exe. The DLL then downloads jazzcity.top, an encrypted PNG file that contains malware code. This technique of disguising malicious code in image files, called steganography, is used by attackers to escape detection.

When decrypted, the PNG file makes an msiexec.exe process and uses process hollowing, a stealthy cross-process injection technique, to inject malicious code. The hollowed-out msiexec.exe process then creates the file joavript.dll, which is the decrypted IcedID malware.

Once in remembrance, the IcedID malware acts as the middleman between the browser and the banking site. It does this by creating a self-signed certificate and by hooking the browser to accept this certificate. This allows IcedID to monitor HTTPS traffic to online banking sites and manipulate and steal information.

EDR in block mode: Transforming EDR visibility into real-time blocking

With endpoint and detection response( EDR) in block mode , now generally available, Microsoft Defender for Endpoint offer another layer of post-breach protection when strikes manage to slip past the primary antivirus solution. An extension of the behavioral blocking and containment abilities, EDR in block mode stops onslaughts cold when it detects malicious behaviour, malware implant, and other artifacts. It stops and blocks malicious behavior in real-time, even if a threat has started operate, helping ensure that onslaughts are not allowed to proceed and achieve their endgame.

EDR in block mode can be enabled thru the advanced determines in Microsoft Defender Security Center. Organisations that have not enabled this feature will also get security recommendation to do so via the threat and vulnerability management feature. To learn more, read the EDR in block mode documentation.

Screenshot of advanced settings in Microsoft Defender Security Center, where EDR in block mode can be enabled

Figure 6. Enable EDR in block mode in advanced features in Microsoft Defender Security Center

EDR in block mode is in relation to the comprehensive endpoint protection to be submitted by Microsoft Defender for Endpoint, which delivers preventative protection, post-breach detection, automated investigation, and response. Learn how you can secure your organization with Microsoft Defender for Endpoint.

The post EDR in block mode stops IcedID cold showed first on Microsoft Security .

Read more: microsoft.com