Forum Discussion

Sri_12's avatar
Sri_12
Copper Contributor
May 27, 2021

MDATP doesn't constantly detect a ransomware-type mass encryption

Hello,

 

As a part of security tastings, to see the efficacy level of MDATP, we are running a PowerShell script (encrypt_ransomware.ps1) found in the GitHub GitHub - leomatias/Ransomware-Simulator that encrypts a bulk number of files and behaves like ransomware.

 

The workstations used are Windows 10 Enterprise enrolled in Intune with similar policies & settings. The user accounts used to execute the scripts are administrators, but we only run the scripts as standard PowerShell sessions (meaning not 'run as administrator'). We rely on MDATP protection to detect this event and we confirm the alert after seeing it on security center, but the alerts/detections on the MDATP security center are not consistent. Once it gets detected as a "ransomware behaviour by MDATP " and an alert is generated on some of the test machines.. Doing the same test on another machine has a different result; no alert is raised in the MDATP console. But this is not consistent with each device we run the script.

 

There is no real difference in configuration between the machines as all policies and settings are pushed to all devices/all users. The tests are identical, the same encryption script, the same amount of files, same total size

 

I appreciate any advices or suggestions on how to troubleshoot this and to find what's generating the different detection behavior. Why is the massive file change not detected consistently across machines?

 

I'll continue to see if it stays the same with a standard user (no admin rights by default).

Resources