How to Ensure Threat Detection for Custom Malware in Defender for Endpoint
Question
Recently, your organization has been targeted by a custom malware package.
While the files used are constantly changing, the command and control URL is always the same.
How can you ensure this threat is caught in Defender for Endpoint?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer: A.
![e Dashboards
@ Incidents
2 Machines list
ha Alerts queue
@)} Automated investigations
8 Advanced hunting
vy Reports
8 Partners & APIs
2 Threat & Vulnerability Management
Ca Evaluation and tutorials
S Service health
fra, Configuration managem
£93 Set
Microsoft Defender Security Center
Settings
Alert notifications
Power BI reports
Advanced features
Permissions
Roles
Machine groups
APIs
SIEM
Rules
Custom detections
Alert suppression
Indicators
Automation allowed/blocked lists
Automation uploads
Automation folder exclusions
Machine management
Onboarding
Pooh nod
fo)
Automatically resolve alerts
Resolves an alert if Automated investigation finds no threats or has su
artifacts
fully remediated all malicious
Allow or block file
s Defender Antiv
the allow o
Make sure that Window
rus is turned on and the cloud-based protection feature is enabled in
file feature.
you
organization to
Custom network indicators
Configures machines to allow or block connections to IP addresses, domains, or URLs in your custom indicator]
lists. To use this feature, machines must be running Windows 10 v
or later. They should also have
network protection in block mode and version 4.18.1906.3 or later of the antimalware platform (see KB
4052623). Note that network protection leverages reputation services that process requests in locations that
might be outside of the location you have selected for your Microsoft Defender ATP data.
Show user details
Enables displaying user details: picture, name, title, department, stored in Azure Active Directory.
Skype for business integration
Enables 1-click communication with users.
Azure ATP integration
Retrieves enriched user and machine data from Azure ATP and
orwards Microsoft Defender ATP signals,
resulting in better visibility, additional detections, and efficient investigations across both services. Forwarded
data is sto and processed in the same location as your Azure ATP data
Office 365 Threat Intelligence connection](https://eaeastus2.blob.core.windows.net/optimizedimages/static/images/Microsoft-Security-Operations-Analyst-(SC-200)/answer/imgss4.1.png)
/answer/imgss4.2.png)
Reference:
The best approach to ensure that the threat is caught in Defender for Endpoint is to add the command and control URL as an IoC (Indicator of Compromise) in Security Center. An IoC is an artifact or anomaly that provides evidence of an intrusion or security compromise. When an IoC is detected, it triggers an alert that can be used to investigate and remediate the threat.
Blocking the command and control URL on all firewalls in the organization is also an effective approach to prevent the malware from communicating with its command and control server. However, it may not be sufficient to catch the threat in Defender for Endpoint as the malware may still be present on the endpoint, and it can cause damage before it's blocked by the firewall.
Blocklisting the URL in Security Center is also an option, but it may not be the best approach as it only blocks the URL without providing any further insights or context about the threat.
Allowlisting the URL in Security Center is not recommended as it allows the URL to bypass any security measures in place, including Defender for Endpoint.
In summary, the best approach to catch the threat in Defender for Endpoint is to add the command and control URL as an IoC in Security Center, which will trigger alerts and allow for further investigation and remediation of the threat.