Microsoft Details How Defender Protects High-Value Assets in Real-World Attacks

Microsoft has introduced major upgrades to its Defender platform, focusing on protecting High-Value Assets (HVAs) such as domain controllers and critical web servers from advanced cyberattacks.

These improvements aim to address a growing trend where attackers target core infrastructure to gain deep access into enterprise networks.

According to Microsoft, over 78% of human-operated cyberattacks successfully compromise at least one critical asset.

Once attackers gain control of systems like domain controllers, they can escalate privileges and move laterally across the network with ease.

Traditional security tools often fail to detect such activity because attackers use legitimate administrative tools that appear normal without proper context.

To solve this challenge, Microsoft has integrated a new context-aware approach powered by its Security Exposure Management tool.

This system automatically identifies and classifies devices and cloud resources based on their importance to the organization.

By tagging systems with criticality levels, Defender can apply stricter protections where they matter most.

The platform continuously learns normal behavior patterns for each high-value asset using cloud intelligence.

When unusual activity occurs, especially on Tier-0 systems, it elevates weak signals into high-confidence alerts.

This allows security teams to detect and respond to threats earlier, reducing the risk of widespread damage.

Microsoft also shared a real-world attack scenario involving a domain controller. In this case, an attacker attempted to extract the NTDS database using a scheduled task, a method that typically blends in with routine backup operations.

However, Defender identified the system as a critical asset and recognized the suspicious behavior within its broader context.

The platform immediately blocked the action and disabled the compromised administrator account, preventing further escalation.

In addition to protecting identity infrastructure, Defender now enhances security for internet-facing systems such as IIS-based web servers.

These systems are frequent targets for webshell attacks. With its new capabilities, Defender applies deeper inspection of commonly abused directories.

This approach has already helped detect and remove previously unknown webshells that bypassed traditional perimeter defenses.

The platform also monitors sensitive operations involving credential stores, registry hives, and identity-related data.

By analyzing process chains on critical servers, Defender can stop attackers attempting to extract credentials through techniques like directory replication or Entra Connect abuse.

Microsoft emphasizes that organizations should prioritize securing high-value assets first. Strengthening defenses around these systems provides a greater reduction in overall risk compared to focusing only on standard endpoints.

Additionally, faster investigation and response to alerts involving critical infrastructure are essential to minimizing the impact of modern cyberattacks.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Microsoft Details How Defender Protects High-Value Assets in Real-World Attacks appeared first on Cyber Security News.