Microsoft Defender can now automatically isolate hacked endpoints

Microsoft Defender now automatically isolates compromised endpoints to prevent lateral movement, targeting organizations using the Defender for Endpoint solution. This capability is currently in testing. The threat aims to disrupt network defenses.

1. Microsoft is testing a new Defender for Endpoint capability to automatically isolate compromised endpoints.
2. The affected scope is organizations using the Defender for Endpoint solution.
3. The attack chain involves compromising endpoints to move laterally across the network.
4. Detection opportunities include monitoring for unusual network activity and endpoint behavior.

T1021.002: Remote Services: Windows Remote Management (WinRM)

Implement the new Defender for Endpoint capability or configure network segmentation to isolate compromised endpoints.