client behavioral blocking

windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md

@@ -60,6 +60,22 @@ Expect more to come in the area of behavioral blocking and containment, as Micro
 
 ## Examples of behavioral blocking and containment in action
 
+Behavioral blocking and containment capabilities have blocked attacker techniques such as the following:
+
+- Credential dumping from LSASS
+- Cross-process injection
+- Process hollowing
+- User Account Control bypass
+- Tampering with antivirus (such as disabling it or adding the malware as exclusion)
+- Contacting Command and Control (C&C) to download payloads
+- Coin mining
+- Boot record modification
+- Pass-the-hash attacks
+- Installation of root certificate
+- Exploitation attempt for various vulnerabilities
+
+Below are two real-life examples of behavioral blocking and containment in action.
+
 ### Example 1: Credential theft attack against 100 organizations
 
 As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. 

windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md

@@ -26,7 +26,7 @@ ms.collection:
 
 ## Overview
 
-Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/). As threats are detected on devices (clients), they are blocked, checked, and remediated automatically. 
+Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. 
 
 :::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection":::
 
@@ -34,8 +34,32 @@ Antivirus protection works best when paired with cloud protection.
 
 ## How client behavioral blocking works
 
-[Microsoft Defender Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) can identify malicious behavior, detect malicious code, detect fileless and in-memory attacks, and more on a device. When suspicious behaviors, Microsoft Defender Antivirus monitors and sends suspicious behaviors and process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
+[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device. 
 
+Whenever a suspicious behavior is detected, an alert is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+
+Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization.
+
+## Behavior-based detections
+
+Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed:
+
+
+|Tactic |	Detection threat name |
+|----|----|
+|Initial Access	| Behavior:Win32/InitialAccess.*!ml |
+|Execution	|Behavior:Win32/Execution.*!ml |
+|Persistence	|Behavior:Win32/Persistence.*!ml |
+|Privilege Escalation	|Behavior:Win32/|PrivilegeEscalation.*!ml |
+|Defense Evasion	|Behavior:Win32/DefenseEvasion.*!ml |
+|Credential Access	|Behavior:Win32/CredentialAccess.*!ml |
+|Discovery	|Behavior:Win32/Discovery.*!ml |
+|Lateral Movement |	Behavior:Win32/LateralMovement.*!ml |
+|Collection |	Behavior:Win32/Collection.*!ml |
+|Command and Control | Behavior:Win32/CommandAndControl.*!ml |
+|Exfiltration	| Behavior:Win32/Exfiltration.*!ml |
+|Impact	| Behavior:Win32/Impact.*!ml |
+|Uncategorized	| Behavior:Win32/Generic.*!ml |
 
 ## Configuring client behavioral blocking
 
@@ -55,6 +79,8 @@ If your organization is using Microsoft Defender ATP, client behavioral blocking
 
 - [Behavioral blocking and containment](behavioral-blocking-containment.md)
 
+- [Feedback-loop blocking](feedback-loop-blocking.md)
+
 - [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
 
 - [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources)