{"id":29559,"date":"2019-10-08T15:00:11","date_gmt":"2019-10-08T15:00:11","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=89968"},"modified":"2019-10-08T15:00:11","modified_gmt":"2019-10-08T15:00:11","slug":"in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/","title":{"rendered":"In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks"},"content":{"rendered":"<p>Our experience in detecting and blocking threats on millions of endpoints tells us that attackers will stop at nothing to circumvent protections. Even one gap in security can be disastrous to an organization.<\/p>\n<p>At Microsoft, we don\u2019t stop finding new ways to fill in gaps in security. We go beyond strengthening existing defenses by introducing new and innovative layers of protection. While our <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/08\/23\/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant\/\">industry-leading<\/a> <a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/windows\/microsoft-defender-atp\">endpoint protection platform<\/a> stops threats before they can even run, we continue improving protections for instances where sophisticated adversarial attacks manage to slip through.<\/p>\n<p>Multiple layers of protection mean multiple hurdles that attackers need to overcome to perpetrate attacks. We continuously innovate <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/06\/24\/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection\/\">threat and malware prevention engines<\/a> on the client and in the cloud to add more protection layers that detect and block sophisticated and evasive threats before they can even run.<\/p>\n<p>In recent months, we introduced two machine learning protection features within the <strong>behavioral blocking and containment capabilities<\/strong> in <a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">Microsoft Defender Advanced Threat Protection<\/a>. In keeping with the defense in depth strategy, coupled with the \u201cassume breach\u201d mindset, these new protection engines specialize in detecting threats by analyzing behavior, and adding new layers of protection after an attack has successfully started running on a machine:<\/p>\n<ul>\n<li><strong>Behavior-based machine learning<\/strong> identifies suspicious process behavior sequences and advanced attack techniques observed on the client, which are used as triggers to analyze the process tree behavior using real-time machine learning models in the cloud<\/li>\n<li><strong>AMSI-paired machine learning<\/strong> uses pairs of client-side and cloud-side models that integrate with Antimalware Scan Interface (<a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">AMSI<\/a>) to perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks<\/li>\n<\/ul>\n<p>The figure below illustrates how the two behavior-based machine learning protections enrich post-breach detections:<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig1-pre-execution-and-post-execution-detection-engines.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-89978\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig1-pre-execution-and-post-execution-detection-engines.png\" alt width=\"1906\" height=\"1122\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig1-pre-execution-and-post-execution-detection-engines.png 1906w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig1-pre-execution-and-post-execution-detection-engines-300x177.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig1-pre-execution-and-post-execution-detection-engines-768x452.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig1-pre-execution-and-post-execution-detection-engines-1024x603.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig1-pre-execution-and-post-execution-detection-engines-440x260.png 440w\" sizes=\"auto, (max-width: 1906px) 100vw, 1906px\"><\/a><\/p>\n<p><em>Figure 1. Pre and post-execution detection engines in Microsoft Defender ATP\u2019s antivirus capabilities<\/em><\/p>\n<p>The pre-execution and post-execution detection engines make up two important components of comprehensive threat and malware prevention. They reflect the defense in depth principle, which entails multiple layers of protection for thorough, wide-range defense.<\/p>\n<p>In detecting post-execution behavior, using machine learning is critical. Many attack techniques are also used by legitimate applications. For example, a very common, documented method used by both clean applications and malware is creating a service for persistence.<\/p>\n<p>To distinguish between malicious and clean applications when an attack technique is observed, Windows Defender Antivirus monitors and sends suspicious behaviors and process trees to the cloud protection service for real-time classification by machine learning. Cloud-based post-execution detection engines isolate known good behaviors from malicious intent to stop attacks in real time.<\/p>\n<p>Within milliseconds of an attack technique or suspicious script execution being observed, machine learning classifiers return a verdict and the client blocks the threat. The pre-execution models then learn from these malicious blocks afterwards to protect Microsoft Defender ATP customers before attacks can begin executing new cycles of infection.<\/p>\n<h2>How behavioral blocking and containment protected 100 organizations from credential theft<\/h2>\n<p>In early July, attackers launched a highly targeted credential theft attack against 100 organizations around the world, primarily in the United Arab Emirates, Germany, and Portugal. The goal of the attack was to install the notorious info-stealing backdoor Lokibot and to exfiltrate sensitive data.<\/p>\n<p>Behavioral blocking and containment capabilities in Microsoft Defender ATP detected and foiled the attack in its early stages, protecting customers from damage.<\/p>\n<p>Spear-phishing emails carrying lure documents were sent to the target organizations; in one instance, three distinct highly targeted emails with the same lure document were delivered to a single pharmaceutical ingredient supplier. The attacker used pharmaceutical industry jargon to improve the credibility of the email and in one case requested a quote on an ingredient that the target company was likely to produce.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-89970\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig2-spear-phishing-email.png\" alt width=\"1308\" height=\"714\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig2-spear-phishing-email.png 1308w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig2-spear-phishing-email-300x164.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig2-spear-phishing-email-768x419.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig2-spear-phishing-email-1024x559.png 1024w\" sizes=\"auto, (max-width: 1308px) 100vw, 1308px\"><\/p>\n<p><em>Figure 2. Multiple spear-phishing emails attempted to deliver the same lure document to the same target<\/em><\/p>\n<p>The lure document itself didn\u2019t host any exploit code but used an external relationship to a document hosted on a compromised WordPress website. If recipients opened the attachment, the related remote document, which contained the exploit, was also automatically loaded. This allowed the remote document to take advantage of the previously fixed CVE-2017-11882 vulnerability in Equation Editor and execute code on the computer.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-89971\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig3-external-reference.png\" alt width=\"600\" height=\"336\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig3-external-reference.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig3-external-reference-300x168.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig3-external-reference-687x385.png 687w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig3-external-reference-767x430.png 767w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig3-external-reference-539x303.png 539w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\"><\/p>\n<p><em>Figure 3. The lure document contains an external reference to the exploit document is hosted on a compromised WordPress website.<\/em><\/p>\n<p>Upon successful exploitation, the attack downloaded and loaded the Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control (C&amp;C) server.<\/p>\n<p>The behavior-based machine learning models built into Microsoft Defender ATP caught attacker techniques at two points in the attack chain. The first detection layer spotted the exploit behavior. Machine learning classifiers in the cloud correctly identified the threat and immediately instructed the client to block the attack. In cases where the attack had proceeded past this layer of defense to the next stage of the attack, process hollowing would have been attempted. This, too, was detected by behavior-based machine learning models, which instructed the clients to block the attack, marking the second detection layer. As the attacks are blocked, the malicious processes and corresponding files are remediated, protecting targets from credential theft and further backdoor activities.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig4-case-study-credential-theft-attack.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-89976\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig4-case-study-credential-theft-attack.png\" alt width=\"1742\" height=\"921\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig4-case-study-credential-theft-attack.png 1742w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig4-case-study-credential-theft-attack-300x159.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig4-case-study-credential-theft-attack-768x406.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig4-case-study-credential-theft-attack-1024x541.png 1024w\" sizes=\"auto, (max-width: 1742px) 100vw, 1742px\"><\/a><\/p>\n<p><em>Figure 4. Credential theft attack chain showing multiple behavior-based protection layers that disrupted the attack<\/em><\/p>\n<p>The behavior-based blocking raised an \u201cInitial Access\u201d alert in Microsoft Defender Security Center, the console for SecOps teams that gives complete visibility into their environments and across the suite of Microsoft Defender ATP tools that protect their endpoints:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-89979\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig5-MDATP-alert-behavior-a.png\" alt width=\"590\" height=\"436\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig5-MDATP-alert-behavior-a.png 598w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig5-MDATP-alert-behavior-a-300x222.png 300w\" sizes=\"auto, (max-width: 590px) 100vw, 590px\"><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-89969\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig5-MDATP-alert-behavior-b.png\" alt width=\"592\" height=\"526\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig5-MDATP-alert-behavior-b.png 662w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig5-MDATP-alert-behavior-b-300x266.png 300w\" sizes=\"auto, (max-width: 592px) 100vw, 592px\"><\/p>\n<p><em>Figure 5. Alert and process tree on Microsoft Defender Security Center for this targeted attack<\/em><\/p>\n<p>This attack demonstrates how behavior-based machine learning models in the cloud add new layers of protection against attacks even after they have started running.<\/p>\n<p>In the next sections, we will describe in detail the two machine learning protection features in behavioral blocking and containment capabilities in Microsoft Defender ATP.<\/p>\n<h2>Behavior-based machine learning protection<\/h2>\n<p>The behavior engine in the Windows Defender Antivirus client monitors more than 500 attack techniques as triggers for analyzing new and unknown threats. Each time one of the monitored attack techniques is observed, the process tree and behavior sequences are constructed and sent to the cloud, where behavior-based machine learning models classify possible threats. Figure 4 below illustrates a more detailed view of our process tree classification path:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-89975\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig6-process-tree-classification-path.png\" alt width=\"1907\" height=\"1100\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig6-process-tree-classification-path.png 1907w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig6-process-tree-classification-path-300x173.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig6-process-tree-classification-path-768x443.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig6-process-tree-classification-path-1024x591.png 1024w\" sizes=\"auto, (max-width: 1907px) 100vw, 1907px\"><\/p>\n<p><em>Figure 6. Process tree classification path<\/em><\/p>\n<p>Behavior-based detections are named according to the MITRE ATT&amp;CK matrix to help identify the attack stage where the malicious behavior was observed:<\/p>\n<table align=\"center\">\n<tbody>\n<tr>\n<th width=\"200\"><strong>Tactic<\/strong><\/th>\n<th width=\"200\"><strong>Detection threat name<\/strong><\/th>\n<\/tr>\n<tr>\n<td>Initial Access<\/td>\n<td>Behavior:Win32\/InitialAccess.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Execution<\/td>\n<td>Behavior:Win32\/Execution.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Persistence<\/td>\n<td>Behavior:Win32\/Persistence.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Privilege Escalation<\/td>\n<td>Behavior:Win32\/PrivilegeEscalation.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Defense Evasion<\/td>\n<td>Behavior:Win32\/DefenseEvasion.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Credential Access<\/td>\n<td>Behavior:Win32\/CredentialAccess.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Discovery<\/td>\n<td>Behavior:Win32\/Discovery.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Lateral Movement<\/td>\n<td>Behavior:Win32\/LateralMovement.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Collection<\/td>\n<td>Behavior:Win32\/Collection.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Command and Control<\/td>\n<td>Behavior:Win32\/CommandAndControl.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Exfiltration<\/td>\n<td>Behavior:Win32\/Exfiltration.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Impact<\/td>\n<td>Behavior:Win32\/Impact.*!ml<\/td>\n<\/tr>\n<tr>\n<td>Uncategorized<\/td>\n<td>Behavior:Win32\/Generic.*!ml<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Since deployment, the behavior-based machine learning models have blocked attacker techniques like the following used by attacks in the wild:<\/p>\n<ul>\n<li>Credential dumping from LSASS<\/li>\n<li>Cross-process injection<\/li>\n<li>Process hollowing<\/li>\n<li>UAC bypass<\/li>\n<li>Tampering with antivirus (such as disabling it or adding the malware as exclusion)<\/li>\n<li>Contacting C&amp;C to download payloads<\/li>\n<li>Coin mining<\/li>\n<li>Boot record modification<\/li>\n<li>Pass-the-hash attacks<\/li>\n<li>Installation of root certificate<\/li>\n<li>Exploitation attempt for various vulnerabilities<\/li>\n<\/ul>\n<p>These blocked behaviors show up as alerts in Microsoft Defender Security Center.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-89972 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig7-MDATP-alert.png\" alt width=\"1136\" height=\"1041\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig7-MDATP-alert.png 1136w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig7-MDATP-alert-300x275.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig7-MDATP-alert-768x704.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig7-MDATP-alert-1024x938.png 1024w\" sizes=\"auto, (max-width: 1136px) 100vw, 1136px\"><\/p>\n<p><em>Figure 7. Alert for malicious behavior in Microsoft Defender Security Center<\/em><\/p>\n<h2>Machine learning protection for scripting engines with AMSI<\/h2>\n<p>Through the <a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2015\/06\/09\/windows-10-to-offer-application-developers-new-malware-defenses\/?source=mmpc\">AMSI<\/a> integration with scripting engines on Windows 10 and Office 365, Windows Defender Antivirus gains rich insight into the execution of PowerShell, VBScript, JavaScript and Office Macro VBA scripts to <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/12\/04\/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land\/\">cut through obfuscation, protect against fileless attacks, and provide robust defenses<\/a> against malicious script behavior.<\/p>\n<p>To assist with fileless and evasive script attacks, scripting engines are instrumented to provide both behavior calls and dynamic content calls to the antivirus product. The type of integrations available varies based on the scripting engine. Table 1 below illustrates the current support with the Windows 10 and Office 365, and Figure 5 illustrates an example of the scripting engine dynamic script content and behavior calls for malicious scripts.<\/p>\n<table align=\"center\">\n<tbody>\n<tr>\n<th width=\"200\"><strong>Microsoft AMSI integration point<\/strong><\/th>\n<th width=\"100\"><strong>Dynamic script content calls<\/strong><\/th>\n<th width=\"100\"><strong>Behavior calls<\/strong><\/th>\n<\/tr>\n<tr>\n<td>PowerShell<\/td>\n<td>Y<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>VBScript<\/td>\n<td>Y<\/td>\n<td>Y<\/td>\n<\/tr>\n<tr>\n<td>JavaScript<\/td>\n<td>Y<\/td>\n<td>Y<\/td>\n<\/tr>\n<tr>\n<td>Office VBA macros<\/td>\n<td><\/td>\n<td>Y<\/td>\n<\/tr>\n<tr>\n<td>WMI<\/td>\n<td><\/td>\n<td>Y<\/td>\n<\/tr>\n<tr>\n<td>MSIL .NET<\/td>\n<td>Y<\/td>\n<td><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-89973\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig8-script-behavior.png\" alt width=\"1410\" height=\"478\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig8-script-behavior.png 1410w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig8-script-behavior-300x102.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig8-script-behavior-768x260.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig8-script-behavior-1024x347.png 1024w\" sizes=\"auto, (max-width: 1410px) 100vw, 1410px\"><\/p>\n<p><em>Figure 8. Example dynamic script content and behavior calls for malicious scripts monitored by AMSI<\/em><\/p>\n<p>Our scripting machine learning protection design can be seen in Figure 6 below. We deployed paired machine learning models for various scripting scenarios. Each pair of classifiers is made up of (1) a performance-optimized lightweight classifier that runs on the Windows Defender Antivirus client, and (2) a heavy classifier in the cloud. The role of the client-based classifier is to inspect the script content or behavior log to predict whether a script is suspicious. For scripts that are classified as suspicious, metadata describing the behavior or content is featurized and sent up to the cloud for real-time classification; the metadata that describes the content includes expert features, features selected by machine learning, and fuzzy hashes.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-89974\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig9-amsi-paroted-models-classification-path.png\" alt width=\"500\" height=\"624\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig9-amsi-paroted-models-classification-path.png 882w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig9-amsi-paroted-models-classification-path-240x300.png 240w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig9-amsi-paroted-models-classification-path-768x959.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig9-amsi-paroted-models-classification-path-820x1024.png 820w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\"><\/p>\n<p><em>Figure 9. AMSI-paired models classification path<\/em><\/p>\n<p>The paired machine learning model in the cloud then analyzes the metadata to decide whether the script should be blocked or not. If machine learning decides to block the file, the running script is aborted. This paired model architecture is used to offload the overhead of running intensive machine learning models to the cloud, and to make use of the global information available about the content through the Microsoft Intelligent Security Graph.<\/p>\n<p>Malicious scripts blocked by AMSI-paired machine models are reported in Microsoft Defender Security Center using threat names like the following:<\/p>\n<ul>\n<li>Trojan:JS\/Mountsi.A!ml<\/li>\n<li>Trojan:Script\/Mountsi.A!ml<\/li>\n<li>Trojan:O97M\/Mountsi.A!ml<\/li>\n<li>Trojan:VBS\/Mountsi.A!ml<\/li>\n<li>Trojan:PowerShell\/Mountsi.A!ml<\/li>\n<\/ul>\n<h2>Behavioral blocking and containment for disrupting advanced attacks<\/h2>\n<p>The two new cloud-based post-execution detection engines we described in this blog are part of the behavioral blocking and containment capabilities that enabled Microsoft Defender ATP to protect the 100 organizations targeted in the credential theft attack we discussed earlier. Recently, we also documented how behavior-based protections are important components of the dynamic protection against the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/\">multi-stage, fileless Nodersok campaign<\/a>.<\/p>\n<p>These engines add to the many layers of machine learning-driven protections in the cloud and add protection against threats after they have begun running. To further illustrate how these behavior-based protections work, here\u2019s a diagram that shows the multiple protection layers against an Emotet attack chain:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-89977\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig10-emotet-post-breach-behavior.png\" alt width=\"1684\" height=\"1109\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig10-emotet-post-breach-behavior.png 1684w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig10-emotet-post-breach-behavior-300x198.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig10-emotet-post-breach-behavior-768x506.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig10-emotet-post-breach-behavior-1024x674.png 1024w\" sizes=\"auto, (max-width: 1684px) 100vw, 1684px\"><\/p>\n<p><em>Figure 10. Multiple layers of behavior-based protection in Windows Defender Antivirus while executing an Emotet attack (SHA-256: ee2bbe2398be8a1732c0afc318b797f192ce898982bff1b109005615588facb0)<\/em><\/p>\n<p>As part of our defense in depth strategy, these new layers of antivirus protection not only expand detection and blocking capabilities; they also provide even richer visibility into malicious behavior sequences, giving security operations more signals to use in investigating and responding to attacks through <a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">Microsoft Defender ATP<\/a> capabilities like endpoint detection and response, threat and vulnerability management, and automated investigation and remediation.<\/p>\n<p>Within milliseconds of an attack technique or suspicious script execution being observed, machine learning classifiers return a verdict and the client blocks the threat. Our pre-execution models then learn from these malicious blocks afterwards to protect Microsoft Defender ATP customers before the threats even begin executing.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-89980\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig11-multiple-layers-of-protection-microsoft-defender-atp.png\" alt width=\"1300\" height=\"860\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig11-multiple-layers-of-protection-microsoft-defender-atp.png 1300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig11-multiple-layers-of-protection-microsoft-defender-atp-300x198.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig11-multiple-layers-of-protection-microsoft-defender-atp-768x508.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig11-multiple-layers-of-protection-microsoft-defender-atp-1024x677.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/fig11-multiple-layers-of-protection-microsoft-defender-atp-293x195.png 293w\" sizes=\"auto, (max-width: 1300px) 100vw, 1300px\"><\/p>\n<p><em>Figure 11. Multiple layers of malware and threat prevention engines on the client and in the cloud<\/em><\/p>\n<p>The impact of the continuous improvements in antivirus capabilities further show up in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/technology\/threat-protection\">Microsoft Threat Protection<\/a>, Microsoft\u2019s comprehensive security solution for identities, endpoints, email and data, apps, and infrastructure. Through signal-sharing across Microsoft services, the richer machine learning-driven protection in Microsoft Defender ATP is amplified throughout protections for various attack surfaces.<\/p>\n<p><strong><em>Geoff McDonald<\/em><\/strong><br \/><em>with <strong>Saad Khan<\/strong><\/em><br \/><em>Microsoft Defender ATP Research<\/em><\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/10\/08\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Two new machine learning protection features within the behavioral blocking and containment capabilities in Microsoft Defender ATP specialize in detecting threats by analyzing behavior, adding new layers of protection after an attack has started running.<br \/>\nThe post In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks appeared first on Microsoft Security. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":29560,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[6859,8025,3305,6863,8026,347,8027,6419,6717,7221,1064,8028],"class_list":["post-29559","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-ai-and-machine-learning","tag-amsi-paired-machine-learning","tag-automation","tag-behavior-based-machine-learning","tag-behavioral-blocking-and-containment","tag-cybersecurity","tag-endpoint-protection-platform","tag-endpoint-security","tag-microsoft-defender-atp","tag-microsoft-security-intelligence","tag-security-intelligence","tag-threat-and-malware-prevention"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2019-10-08T15:00:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1906\" \/>\n\t<meta property=\"og:image:height\" content=\"1122\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks\",\"datePublished\":\"2019-10-08T15:00:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/\"},\"wordCount\":1971,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/10\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks.png\",\"keywords\":[\"AI and machine learning\",\"AMSI paired machine learning\",\"Automation\",\"behavior-based machine learning\",\"behavioral blocking and containment\",\"Cybersecurity\",\"endpoint protection platform\",\"Endpoint security\",\"Microsoft Defender ATP\",\"Microsoft security intelligence\",\"Security Intelligence\",\"threat and malware prevention\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/\",\"name\":\"In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/10\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks.png\",\"datePublished\":\"2019-10-08T15:00:11+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/10\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/10\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks.png\",\"width\":1906,\"height\":1122},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AI and machine learning\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/ai-and-machine-learning\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/","og_locale":"en_US","og_type":"article","og_title":"In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2019-10-08T15:00:11+00:00","og_image":[{"width":1906,"height":1122,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks","datePublished":"2019-10-08T15:00:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/"},"wordCount":1971,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks.png","keywords":["AI and machine learning","AMSI paired machine learning","Automation","behavior-based machine learning","behavioral blocking and containment","Cybersecurity","endpoint protection platform","Endpoint security","Microsoft Defender ATP","Microsoft security intelligence","Security Intelligence","threat and malware prevention"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/","url":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/","name":"In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks.png","datePublished":"2019-10-08T15:00:11+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks.png","width":1906,"height":1122},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"AI and machine learning","item":"https:\/\/www.threatshub.org\/blog\/tag\/ai-and-machine-learning\/"},{"@type":"ListItem","position":3,"name":"In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/29559","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=29559"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/29559\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/29560"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=29559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=29559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=29559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}