Full Report
Microsoft is testing a new Defender for Endpoint capability that will block traffic to and from undiscovered endpoints to thwart attackers' lateral network movement attempts. [...]
Analysis Summary
# Tool/Technique: Contain IP Policy (Defender for Endpoint)
## Overview
The Contain IP policy within Microsoft Defender for Endpoint is a security feature designed for **automatic attack disruption**. Its purpose is to automatically block the network communication of a malicious IP address associated with an undiscovered or unmanaged endpoint immediately upon detection, thereby preventing potential spread or further malicious activity.
## Technical Details
- Type: Tool/Defensive Feature
- Platform: Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019+ (and related Defender for Endpoint supported OS versions covered by the isolation features described).
- Capabilities: Automatic blocking of malicious IP addresses associated with undiscovered devices; granular containment by blocking specific ports and directions; ability to manually undo containment.
- First Seen: The article implies recent enhancement/rollout related to undiscovered devices, building upon existing isolation features (which have been evolving since June 2022).
## MITRE ATT&CK Mapping
Since this is a defensive/containment measure targeting detected threats, the primary relevant mappings relate to the effect it has on attacker actions, primarily blocking Execution, Lateral Movement, and Command and Control. However, the feature itself is a **Mitigation**.
If we consider the techniques it is designed to stop:
- TA0011 - Command and Control
- TA0008 - Lateral Movement
- TA0002 - Execution Detection
The technique related to the *state* it enforces (network restriction):
- **T1089 - Defense Evasion** (As an attacker attempting to maintain C2 after being detected might face this block. Although primarily a mitigation, it counters evasion attempts.)
- **Mitigation: M1026 - User Account Isolation** (Indirectly, by isolating the compromised asset.)
- **Mitigation: M1030 - Network Segmentation** (Functionally similar to network segmentation applied automatically to the compromised host.)
## Functionality
### Core Capabilities
- **Automatic Containment:** Automatically blocks a malicious IP address once Defender for Endpoint detects it is associated with an undiscovered or unonboarded device.
- **Attack Incrimination:** Incriminates the malicious device and identifies its role to apply matching containment policies.
- **Granular Blocking:** Implements containment by blocking only specific communication ports and directions, rather than a full network shutdown, where applicable.
### Advanced Features
- **Undo Functionality:** Administrators can explicitly restore network connectivity to the contained IP address via the "Action Center" by selecting the "Undo" action on the "Contain IP" action.
- **Endpoint Isolation Precedent:** This feature is an advancement of existing capabilities, which include isolating hacked/unmanaged Windows devices (since June 2022) and extensions for Linux/macOS endpoints.
## Indicators of Compromise
*Note: Since this tool is a defensive measure within Microsoft Defender, it does not generate IoCs for itself. It relies on detecting IoCs generated by the malware.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: The feature acts upon detected malicious IP addresses associated with compromised hosts. (No specific threat IPs listed in context).
- Behavioral Indicators: Detection of communication originating from an unonboarded/undiscovered IP address flagged as malicious, triggering an automatic network block.
## Associated Threat Actors
The feature is designed to counter all threat actors who utilize compromised, unmanaged, or undiscovered endpoints to maintain persistence or conduct lateral movement. The context mentions attacks by "Russian hackers" in a separate item, but this containment feature targets the *mechanism* of compromise used by any actor.
## Detection Methods
- Signature-based detection: N/A (The feature relies on Microsoft's internal threat intelligence feeding Defender's detection engine).
- Behavioral detection: Detection relies on Defender's behavioral analysis identifying communication pointing to known malicious infrastructure or abnormal lateral movement patterns.
- YARA rules if available: N/A
## Mitigation Strategies
- **Enable Contain IP Policy:** Ensure the "Contain IP policy" is configured and active within the Defender for Endpoint security settings.
- **Endpoint Onboarding:** Maximize use of Defender for Endpoint configuration to ensure all production endpoints are onboarded, minimizing the number of "undiscovered" devices vulnerable to this specific automatic response trigger.
- **Review Action Center:** Regularly monitor the Action Center in Defender for Endpoint for automatic containment events and verify the necessity of the block or perform remediation actions.
- **Review Granular Containment:** Understand the baseline granular containment rules to ensure necessary business functions are not inadvertently halted while the device is under investigation.
## Related Tools/Techniques
- Defender for Endpoint Device Isolation (Prior capability for isolating hacked/unmanaged Windows devices).
- Automatic Attack Disruption (The broader framework within which this containment operates, also used for isolating compromised user accounts).
- Network Segmentation (Related security concept).
- Incident Response Automation (General category for automated containment actions).