Forum Discussion

ahmedamer's avatar
ahmedamer
Copper Contributor
Apr 20, 2024
Solved

abnormal Behavior in Users Devices

hi security guys

 

I am facing strange behaviors on Microsoft EDR that show in timeline Windows Defender Advanced Threat Protection\SenseIR.exe is using fake accounts which are not exist in Microsoft Active directory and Azure Active Directory 

Is considering a normal behavior, hacked or Windows Defender Advanced Threat Protection zero day vulnerable.

the below sample from timeline that related with fake account.

Event TimeMachine IdComputer NameAction TypeFile NameFolder PathSha1Sha256MD5Process Command LineAccount DomainAccount NameAccount SidLogo IdProcess IdProcess Creation TimeProcess Token ElevationRegistry KeyRegistry Value NameRegistry Value DataRemote UrlRemote Computer NameRemote IPRemote PortLocal IPLocal PortFile Origin UrlFile Origin IPInitiating Process SHA1Initiating Process SHA256Initiating Process File NameInitiating Process Folder PathInitiating Process IdInitiating Process Command LineInitiating Process Creation TimeInitiating Process Integrity LevelInitiating Process Token ElevationInitiating Process Parent IdInitiating Process Parent File NameInitiating Process Parent Creation TimeInitiating Process MD5Initiating Process Account DomainInitiating Process Account NameInitiating Process Account SidInitiating Process Logon IdReport IdAdditional FieldsApp Guard Container IdProtocolLogon TypeProcess Integrity LevelRegistry Value TypePrevious Registry Value NamePrevious Registry Value DataPrevious Registry KeyFile Origin Referrer UrlSensitivity LabelSensitivity Sub LabelIs Endpoint Dlp AppliedIs Azure Info Protection AppliedAlert IdsCategoriesSeveritiesIs MarkedData Type
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection    LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\Windows\System32\WindowsPowerShell\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 1.65E+09               T1021.001 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\Windows\System32\WindowsPowerShell\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 9.09E+08               T1078.002 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess     LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\Windows\System32\WindowsPowerShell\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}"2024-04-19T12:21:13.582SystemStandard7192\Device\HarddiskVolume3\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28953{"IsLocalLogon":false} CachedRemoteInteractive            Events
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\Windows\System32\WindowsPowerShell\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.59E+08               T1078.002 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection    LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\Windows\System32\WindowsPowerShell\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.45E+08               T1021.001 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess     LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\Windows\System32\WindowsPowerShell\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}"2024-04-19T12:21:13.582SystemStandard7192\Device\HarddiskVolume3\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28952{"IsLocalLogon":false} CachedRemoteInteractive            Events
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonAttempted     LITCfake account               7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\Windows\System32\WindowsPowerShell\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 28951                  Events
2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InteractiveRemoteComponentInvocation   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861                           1.71E+09               T1078 (Friends)/T1021.001 (Friends)Techniques
2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:\Windows\System32824lsass.exe2024-04-18T08:04:00.305SystemDefault928wininit.exe2024-04-18T08:04:00.107NT AUTHORITYsystemS-1-5-18 9.6E+08               T1078.002 (bolster) Techniques
2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess     LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:\Windows\System32\lsass.exe824lsass.exe2024-04-18T08:04:00.305SystemStandard928wininit.exe2024-04-18T08:04:00.107nt authoritysystemS-1-5-18 28934{"IsLocalLogon":false} RemoteInteractive             Events

thanks in advance 

investigation
  • DylanInfosec's avatar
    DylanInfosec
    Apr 20, 2024

    Hi ahmedamer ,

    have you or someone on the team perhaps turned on the Defender for Endpoint deception features?

     

    You can check the setting for Deception by going to your XDR dashboard > Settings > Endpoints > Advanced features and scroll to find the setting for  “Deception” towards the bottom of the features list.

     

    if it’s on, you can confirm that the user you’re seeing is apart of the deception identities by scrolling a bit more on the endpoints menu for the “Deception rules” tab under the Rules header. There may just be one Default rule there. Click it and you should see a list of deception identities.

     

    see more here: Configure the deception capability in Microsoft Defender XDR 

     

    Best,

    Dylan

1 Reply

Sort By
  • DylanInfosec's avatar
    DylanInfosec
    Iron Contributor
    Apr 20, 2024

    Hi ahmedamer ,

    have you or someone on the team perhaps turned on the Defender for Endpoint deception features?

     

    You can check the setting for Deception by going to your XDR dashboard > Settings > Endpoints > Advanced features and scroll to find the setting for  “Deception” towards the bottom of the features list.

     

    if it’s on, you can confirm that the user you’re seeing is apart of the deception identities by scrolling a bit more on the endpoints menu for the “Deception rules” tab under the Rules header. There may just be one Default rule there. Click it and you should see a list of deception identities.

     

    see more here: Configure the deception capability in Microsoft Defender XDR 

     

    Best,

    Dylan

Resources

"}},"componentScriptGroups({\"componentId\":\"custom.widget.Social_Sharing\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.MicrosoftFooter\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[\"board:MicrosoftThreatProtection\",\"message:4119284\"],\"name\":\"ForumMessagePage\",\"props\":{},\"url\":\"https://techcommunity.microsoft.com/discussions/microsoftthreatprotection/abnormal-behavior-in-users-devices/4119284\"}}})":{"__typename":"ComponentRenderResult","html":""}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/QueryHandler\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/EscalatedMessageBanner\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/EscalatedMessageBanner-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserRank\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserRank-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSolvedBadge\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSolvedBadge-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageCustomFields\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCustomFields-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageReplyButton\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageReplyButton-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSolutionList\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSolutionList-1737115705000"}],"messages({\"constraints\":{\"solution\":{\"eq\":true},\"topicId\":{\"eq\":\"message:4119284\"}},\"first\":10,\"sorts\":{\"postTime\":{\"direction\":\"ASC\"}}})":{"__typename":"MessageConnection","edges":[{"__typename":"MessageEdge","cursor":"MjUuMXwyLjF8aXwxMHwxMzI6MXxpbnQsNDExOTMyOCw0MTE5MzI4","node":{"__ref":"AcceptedSolutionMessage:message:4119328"}}],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null},"totalCount":1},"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1737115705000"}],"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/AcceptedSolutionButton\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/AcceptedSolutionButton-1737115705000"}],"message({\"id\":\"message:4119328\"})":{"__ref":"AcceptedSolutionMessage:message:4119328"},"cachedText({\"lastModified\":\"1737115705000\",\"locale\":\"en-US\",\"namespaces\":[\"components/tags/TagView/TagViewChip\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1737115705000"}]},"CachedAsset:pages-1740993448212":{"__typename":"CachedAsset","id":"pages-1740993448212","value":[{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730142000000,"localOverride":null,"page":{"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730142000000,"localOverride":null,"page":{"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730142000000,"localOverride":null,"page":{"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1740993448212,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Deleted","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":"en","possibleValues":["en-US"]}},"deleted":false},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"Category:category:microsoft-defender-xdr":{"__typename":"Category","id":"category:microsoft-defender-xdr","entityType":"CATEGORY","displayId":"microsoft-defender-xdr","nodeType":"category","depth":4,"title":"Microsoft Defender XDR","shortTitle":"Microsoft Defender XDR","parent":{"__ref":"Category:category:microsoft-security"}},"Category:category:top":{"__typename":"Category","id":"category:top","displayId":"top","nodeType":"category","depth":0,"title":"Top","entityType":"CATEGORY","shortTitle":"Top"},"Category:category:communities":{"__typename":"Category","id":"category:communities","displayId":"communities","nodeType":"category","depth":1,"parent":{"__ref":"Category:category:top"},"title":"Communities","entityType":"CATEGORY","shortTitle":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","displayId":"products-services","nodeType":"category","depth":2,"parent":{"__ref":"Category:category:communities"},"title":"Products","entityType":"CATEGORY","shortTitle":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","displayId":"microsoft-security","nodeType":"category","depth":3,"parent":{"__ref":"Category:category:products-services"},"title":"Microsoft Security","entityType":"CATEGORY","shortTitle":"Microsoft Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Forum:board:MicrosoftThreatProtection":{"__typename":"Forum","id":"board:MicrosoftThreatProtection","entityType":"FORUM","displayId":"MicrosoftThreatProtection","nodeType":"board","depth":5,"conversationStyle":"FORUM","title":"Microsoft Defender XDR","description":"","avatar":null,"profileSettings":{"__typename":"ProfileSettings","language":null},"parent":{"__ref":"Category:category:microsoft-defender-xdr"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":{"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-defender-xdr"}}]},"userContext":{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"boardPolicies":{"__typename":"BoardPolicies","canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","args":[]}}},"shortTitle":"Microsoft Defender XDR","repliesProperties":{"__typename":"RepliesProperties","sortOrder":"REVERSE_PUBLISH_TIME","repliesFormat":"threaded"},"eventPath":"category:microsoft-defender-xdr/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftThreatProtection/","tagProperties":{"__typename":"TagNodeProperties","tagsEnabled":{"__typename":"PolicyResult","failureReason":null}},"requireTags":true,"tagType":"PRESET_ONLY"},"Rank:rank:37":{"__typename":"Rank","id":"rank:37","position":17,"name":"Copper Contributor","color":"333333","icon":null,"rankStyle":"TEXT"},"User:user:460770":{"__typename":"User","id":"user:460770","uid":460770,"login":"ahmedamer","deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-6.svg?time=0"},"rank":{"__ref":"Rank:rank:37"},"email":"","messagesCount":1,"biography":null,"topicsCount":1,"kudosReceivedCount":0,"kudosGivenCount":1,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2019-11-18T03:39:13.302-08:00","confirmEmailStatus":null},"followersCount":null,"solutionsCount":0},"ForumTopicMessage:message:4119284":{"__typename":"ForumTopicMessage","uid":4119284,"subject":"abnormal Behavior in Users Devices","id":"message:4119284","revisionNum":1,"repliesCount":1,"author":{"__ref":"User:user:460770"},"depth":0,"hasGivenKudo":false,"board":{"__ref":"Forum:board:MicrosoftThreatProtection"},"conversation":{"__ref":"Conversation:conversation:4119284"},"readOnly":false,"editFrozen":false,"moderationData":{"__ref":"ModerationData:moderation_data:4119284"},"body":"

hi security guys

 

I am facing strange behaviors on Microsoft EDR that show in timeline Windows Defender Advanced Threat Protection\\SenseIR.exe is using fake accounts which are not exist in Microsoft Active directory and Azure Active Directory 

Is considering a normal behavior, hacked or Windows Defender Advanced Threat Protection zero day vulnerable.

the below sample from timeline that related with fake account.

Event TimeMachine IdComputer NameAction TypeFile NameFolder PathSha1Sha256MD5Process Command LineAccount DomainAccount NameAccount SidLogo IdProcess IdProcess Creation TimeProcess Token ElevationRegistry KeyRegistry Value NameRegistry Value DataRemote UrlRemote Computer NameRemote IPRemote PortLocal IPLocal PortFile Origin UrlFile Origin IPInitiating Process SHA1Initiating Process SHA256Initiating Process File NameInitiating Process Folder PathInitiating Process IdInitiating Process Command LineInitiating Process Creation TimeInitiating Process Integrity LevelInitiating Process Token ElevationInitiating Process Parent IdInitiating Process Parent File NameInitiating Process Parent Creation TimeInitiating Process MD5Initiating Process Account DomainInitiating Process Account NameInitiating Process Account SidInitiating Process Logon IdReport IdAdditional FieldsApp Guard Container IdProtocolLogon TypeProcess Integrity LevelRegistry Value TypePrevious Registry Value NamePrevious Registry Value DataPrevious Registry KeyFile Origin Referrer UrlSensitivity LabelSensitivity Sub LabelIs Endpoint Dlp AppliedIs Azure Info Protection AppliedAlert IdsCategoriesSeveritiesIs MarkedData Type
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection    LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 1.65E+09               T1021.001 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 9.09E+08               T1078.002 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess     LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemStandard7192\\Device\\HarddiskVolume3\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28953{\"IsLocalLogon\":false} CachedRemoteInteractive            Events
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.59E+08               T1078.002 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection    LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.45E+08               T1021.001 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess     LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemStandard7192\\Device\\HarddiskVolume3\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28952{\"IsLocalLogon\":false} CachedRemoteInteractive            Events
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonAttempted     LITCfake account               7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 28951                  Events
2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InteractiveRemoteComponentInvocation   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861                           1.71E+09               T1078 (Friends)/T1021.001 (Friends)Techniques
2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:\\Windows\\System32824lsass.exe2024-04-18T08:04:00.305SystemDefault928wininit.exe2024-04-18T08:04:00.107NT AUTHORITYsystemS-1-5-18 9.6E+08               T1078.002 (bolster) Techniques
2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess     LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:\\Windows\\System32\\lsass.exe824lsass.exe2024-04-18T08:04:00.305SystemStandard928wininit.exe2024-04-18T08:04:00.107nt authoritysystemS-1-5-18 28934{\"IsLocalLogon\":false} RemoteInteractive             Events

thanks in advance 

","body@stringLength":"32820","rawBody":"

hi security guys

 

I am facing strange behaviors on Microsoft EDR that show in timeline Windows Defender Advanced Threat Protection\\SenseIR.exe is using fake accounts which are not exist in Microsoft Active directory and Azure Active Directory 

Is considering a normal behavior, hacked or Windows Defender Advanced Threat Protection zero day vulnerable.

the below sample from timeline that related with fake account.

Event TimeMachine IdComputer NameAction TypeFile NameFolder PathSha1Sha256MD5Process Command LineAccount DomainAccount NameAccount SidLogo IdProcess IdProcess Creation TimeProcess Token ElevationRegistry KeyRegistry Value NameRegistry Value DataRemote UrlRemote Computer NameRemote IPRemote PortLocal IPLocal PortFile Origin UrlFile Origin IPInitiating Process SHA1Initiating Process SHA256Initiating Process File NameInitiating Process Folder PathInitiating Process IdInitiating Process Command LineInitiating Process Creation TimeInitiating Process Integrity LevelInitiating Process Token ElevationInitiating Process Parent IdInitiating Process Parent File NameInitiating Process Parent Creation TimeInitiating Process MD5Initiating Process Account DomainInitiating Process Account NameInitiating Process Account SidInitiating Process Logon IdReport IdAdditional FieldsApp Guard Container IdProtocolLogon TypeProcess Integrity LevelRegistry Value TypePrevious Registry Value NamePrevious Registry Value DataPrevious Registry KeyFile Origin Referrer UrlSensitivity LabelSensitivity Sub LabelIs Endpoint Dlp AppliedIs Azure Info Protection AppliedAlert IdsCategoriesSeveritiesIs MarkedData Type
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection    LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 1.65E+09               T1021.001 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 9.09E+08               T1078.002 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess     LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemStandard7192\\Device\\HarddiskVolume3\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28953{\"IsLocalLogon\":false} CachedRemoteInteractive            Events
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.59E+08               T1078.002 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection    LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.45E+08               T1021.001 (bolster) Techniques
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess     LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemStandard7192\\Device\\HarddiskVolume3\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28952{\"IsLocalLogon\":false} CachedRemoteInteractive            Events
2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonAttempted     LITCfake account               7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:\\Windows\\System32\\WindowsPowerShell\\v1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\\ Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}\"2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 28951                  Events
2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InteractiveRemoteComponentInvocation   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861                           1.71E+09               T1078 (Friends)/T1021.001 (Friends)Techniques
2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess   LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:\\Windows\\System32824lsass.exe2024-04-18T08:04:00.305SystemDefault928wininit.exe2024-04-18T08:04:00.107NT AUTHORITYsystemS-1-5-18 9.6E+08               T1078.002 (bolster) Techniques
2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess     LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861          D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:\\Windows\\System32\\lsass.exe824lsass.exe2024-04-18T08:04:00.305SystemStandard928wininit.exe2024-04-18T08:04:00.107nt authoritysystemS-1-5-18 28934{\"IsLocalLogon\":false} RemoteInteractive             Events

thanks in advance 

","kudosSumWeight":0,"postTime":"2024-04-20T07:57:08.590-07:00","images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE5Mjg0LTU3MjkzN2kyMjU5QzQ2Q0IyODFCRDY1?revision=1\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments":{"__typename":"AttachmentConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"tags":{"__typename":"TagConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[{"__typename":"TagEdge","cursor":"MjUuMXwyLjF8b3wxMHxfTlZffDE","node":{"__typename":"Tag","id":"tag:investigation","text":"investigation","time":"2019-01-31T13:58:58.496-08:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}]},"timeToRead":7,"currentRevision":{"__ref":"Revision:revision:4119284_1"},"latestVersion":null,"metrics":{"__typename":"MessageMetrics","views":1231},"visibilityScope":"PUBLIC","canonicalUrl":null,"seoTitle":null,"seoDescription":null,"isEscalated":null,"placeholder":false,"originalMessageForPlaceholder":null,"messagePolicies":{"__typename":"MessagePolicies","canModerateSpamMessage":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","key":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","args":[]}}},"archivalData":null,"searchSnippet":"hi security guys   I am facing strange behaviors on Microsoft EDR that show in timeline Windows Defender Advanced Threat Protection\\SenseIR.exe is using fake accounts which are not exist ...","replies":{"__typename":"MessageConnection","edges":[{"__typename":"MessageEdge","cursor":"MjUuMXwyLjF8aXwxMHwxMzI6MHxpbnQsNDExOTMyOCw0MTE5MzI4","node":{"__ref":"AcceptedSolutionMessage:message:4119328"}}],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"customFields":[]},"Conversation:conversation:4119284":{"__typename":"Conversation","id":"conversation:4119284","solved":true,"topic":{"__ref":"ForumTopicMessage:message:4119284"},"lastPostingActivityTime":"2024-04-20T11:06:45.731-07:00","lastPostTime":"2024-04-20T11:06:45.731-07:00","unreadReplyCount":1,"isSubscribed":false},"ModerationData:moderation_data:4119284":{"__typename":"ModerationData","id":"moderation_data:4119284","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE5Mjg0LTU3MjkzN2kyMjU5QzQ2Q0IyODFCRDY1?revision=1\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE5Mjg0LTU3MjkzN2kyMjU5QzQ2Q0IyODFCRDY1?revision=1","title":"EDR1.png","associationType":"BODY","width":882,"height":1212,"altText":null},"Revision:revision:4119284_1":{"__typename":"Revision","id":"revision:4119284_1","lastEditTime":"2024-04-20T07:57:08.590-07:00"},"CachedAsset:theme:customTheme1-1740993447753":{"__typename":"CachedAsset","id":"theme:customTheme1-1740993447753","value":{"id":"customTheme1","animation":{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo":{"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnNarrowWidth":"800px","gridGutterWidthMd":"30px","gridGutterWidthXs":"10px","pageWidthStyle":"WIDTH_OF_BROWSER","__typename":"BasicsThemeSettings"},"buttons":{"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(--lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabledOpacity":0.5,"primaryTextColor":"var(--lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderThemeSettings"},"boxShadow":{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":{"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageFontStyle":"NORMAL","defaultMessageFontWeight":"400","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#D13A1F","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesThemeSettings"},"colors":{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCCCC","gray600":"#717171","gray700":"#707070","gray800":"#545454","gray900":"#333333","dark":"#545454","light":"#F7F7F7","primary":"#0069D4","secondary":"#333333","bodyText":"#333333","bodyBg":"#FFFFFF","info":"#409AE2","success":"#41C5AE","warning":"#FCC844","danger":"#BC341B","alertSystem":"#FF6600","textMuted":"#707070","highlight":"#FFFCAD","outline":"var(--lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider":{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#ffffff","primaryBgColor":"#0069D4","primaryBgHoverColor":"#005cb8","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#a78058","skinToneDark":"#5e4d43","__typename":"EmojiThemeSettings"},"heading":{"color":"var(--lia-bs-body-color)","fontFamily":"Segoe UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20px","h6FontSize":"16px","lineHeight":"1.3","subHeaderFontSize":"11px","subHeaderFontWeight":"500","h1LetterSpacing":"normal","h2LetterSpacing":"normal","h3LetterSpacing":"normal","h4LetterSpacing":"normal","h5LetterSpacing":"normal","h6LetterSpacing":"normal","subHeaderLetterSpacing":"2px","h1FontWeight":"var(--lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","size60":"60px","size80":"80px","size120":"120px","size160":"160px","__typename":"IconsThemeSettings"},"imagePreview":{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typename":"BackgroundProps"},"backgroundOpacity":0.8,"paddingTop":"15px","paddingBottom":"15px","borderBottom":"1px solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxShadowHover":"none","linkTextBorderBottom":"none","linkTextBorderBottomHover":"none","dropdownPaddingTop":"10px","dropdownPaddingBottom":"15px","dropdownPaddingX":"10px","dropdownMenuOffset":"2px","dropdownDividerMarginTop":"10px","dropdownDividerMarginBottom":"10px","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collapseMenuMarginLeft":"20px","collapseMenuDividerBg":"var(--lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"0.7","propColor":"#990055","selectorColor":"#517a00","operatorColor":"#906736","operatorBgColor":"hsla(0, 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","customColor6":"#2dc26b","customColor7":"#f1c40f","customColor8":"#e03e2d","customColor9":"#b96ad9","customColor10":"#3598db","customColor11":"#169179","customColor12":"#e67e23","customColor13":"#ba372a","customColor14":"#843fa1","customColor15":"#236fa1","customColor16":"#ecf0f1","customColor17":"#ced4d9","customColor18":"#95a5a6","customColor19":"#7e8c8d","customColor20":"#34495e","customColor21":"#000000","customColor22":"#ffffff","defaultMessageHeaderMarginTop":"40px","defaultMessageHeaderMarginBottom":"20px","defaultMessageItemMarginTop":"0","defaultMessageItemMarginBottom":"10px","diffAddedColor":"hsla(170, 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageItemMarginBottom":"10px","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":{"fontFamilyBase":"Segoe UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold":"700","letterSpacingSm":"normal","letterSpacingXs":"normal","lineHeightBase":"1.5","fontSizeBase":"16px","fontSizeXxs":"11px","fontSizeXs":"12px","fontSizeSm":"14px","fontSizeLg":"20px","fontSizeXl":"24px","smallFontSize":"14px","customFonts":[{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"},{"style":"NORMAL","weight":"300","__typename":"FontStyleData"},{"style":"NORMAL","weight":"600","__typename":"FontStyleData"},{"style":"NORMAL","weight":"700","__typename":"FontStyleData"},{"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem":{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename":"UnstyledListItemThemeSettings"},"yiq":{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLightest":0.93,"successDark":0.24,"successLight":0.62,"successLighter":0.8,"successLightest":0.91,"warningDark":0.39,"warningLight":0.68,"warningLighter":0.84,"warningLightest":0.93,"dangerDark":0.41,"dangerLight":0.72,"dangerLighter":0.89,"dangerLightest":0.95,"__typename":"ColorLightnessThemeSettings"},"localOverride":false,"__typename":"Theme"},"localOverride":false},"CachedAsset:text:en_US-components/common/EmailVerification-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1737115705000","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1737115705000","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:quilt:o365.prod:pages/forums/ForumMessagePage:board:MicrosoftThreatProtection-1740993446042":{"__typename":"CachedAsset","id":"quilt:o365.prod:pages/forums/ForumMessagePage:board:MicrosoftThreatProtection-1740993446042","value":{"id":"ForumMessagePage","container":{"id":"Common","headerProps":{"backgroundImageProps":null,"backgroundColor":null,"addComponents":null,"removeComponents":["community.widget.bannerWidget"],"componentOrder":null,"__typename":"QuiltContainerSectionProps"},"headerComponentProps":{"community.widget.breadcrumbWidget":{"disableLastCrumbForDesktop":false}},"footerProps":null,"footerComponentProps":null,"items":[{"id":"section-1733174818610","layout":"ONE_COLUMN","bgColor":null,"showTitle":null,"showDescription":null,"textPosition":null,"textColor":null,"sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"OneColumnQuiltSection","columnMap":{"main":[],"__typename":"OneSectionColumns"}},{"id":"message-list","layout":"MAIN_SIDE","bgColor":null,"showTitle":null,"showDescription":null,"textPosition":null,"textColor":null,"sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"MainSideQuiltSection","columnMap":{"main":[{"id":"messages.widget.topicWithThreadedReplyListWidget","className":"lia-topic-with-replies","props":{"editLevel":"CONFIGURE"},"__typename":"QuiltComponent"}],"side":[{"id":"custom.widget.Social_Sharing","className":null,"props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":true,"title":"Share","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.Featured_Resources","className":null,"props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":true,"title":"Resources","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"MainSideSectionColumns"}}],"__typename":"QuiltContainer"},"__typename":"Quilt","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-pages/forums/ForumMessagePage-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-pages/forums/ForumMessagePage-1737115705000","value":{"title":"{contextMessageSubject} | {communityTitle}","errorMissing":"This message cannot be found","name":"Forum Message Page","section.message-list.title":"Forum Discussion","archivedMessageTitle":"This Content Has Been Archived","section.TqVYTs.title":"Forum Discussion"},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1740993392778":{"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1740993392778","value":{"id":"Common","header":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"community.widget.navbarWidget","props":{"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"className":"QuiltComponent_lia-component-edit-mode__0nCcm","links":{"sideLinks":[],"mainLinks":[{"children":[],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children":[],"linkType":"EXTERNAL","id":"external-link","url":"/Directory","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft365","params":{"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-teams","params":{"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-securityand-compliance","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"outlook","params":{"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"planner","params":{"categoryId":"Planner"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows-server","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"azure","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"exchange","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-endpoint-manager","params":{"categoryId":"microsoft-endpoint-manager"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-q-l-server","params":{"categoryId":"SQL-Server"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-2","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities","url":"/","target":"BLANK"},{"children":[{"linkType":"INTERNAL","id":"education-sector","params":{"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"a-i","params":{"categoryId":"AI"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"i-t-ops-talk","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"partner-community","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-mechanics","params":{"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"healthcare-and-life-sciences","params":{"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"public-sector","params":{"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"io-t","params":{"categoryId":"IoT"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"driving-adoption","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-m-b","params":{"categoryId":"SMB"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"startupsat-microsoft","params":{"categoryId":"StartupsatMicrosoft"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-1","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities-1","url":"/","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external","url":"/Blogs","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external-1","url":"/Events","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft-learn-1","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-learn-blog","params":{"boardId":"MicrosoftLearnBlog","categoryId":"MicrosoftLearn"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"external-10","url":"https://learningroomdirectory.microsoft.com/","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-3","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-4","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-5","url":"https://docs.microsoft.com/learn/topics/sci/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-6","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-7","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-8","url":"https://docs.microsoft.com/learn/teams/?wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-9","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-2","url":"https://docs.microsoft.com/learn/azure/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"microsoft-learn","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"children":[],"linkType":"INTERNAL","id":"community-info-center","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"}]},"style":{"boxShadow":"var(--lia-bs-box-shadow-sm)","controllerHighlightColor":"hsla(30, 100%, 50%)","linkFontWeight":"400","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkBoxShadowHover":"none","linkFontSize":"14px","backgroundOpacity":0.8,"controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerBgColor":"transparent","hamburgerColor":"var(--lia-nav-controller-icon-color)","linkTextBorderBottom":"none","brandLogoHeight":"30px","linkBgHoverColor":"transparent","linkLetterSpacing":"normal","collapseMenuDividerOpacity":0.16,"dropdownPaddingBottom":"15px","paddingBottom":"15px","dropdownMenuOffset":"2px","hamburgerBgHoverColor":"transparent","borderBottom":"1px solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","collapseMenuDividerBg":"var(--lia-nav-link-color)","linkColor":"var(--lia-bs-body-color)","linkJustifyContent":"flex-start","dropdownPaddingTop":"10px","controllerHighlightTextColor":"var(--lia-yiq-dark)","controllerTextColor":"var(--lia-nav-controller-icon-color)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-body-color)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","linkPaddingX":"10px","linkPaddingY":"5px","paddingTop":"15px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkBgColor":"transparent","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-color)"},"showSearchIcon":false,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"},{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.community_banner","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"usePageWidth":false,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.HeroBanner","props":{"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.HeroBanner"},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"footer":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"custom.widget.MicrosoftFooter","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"__typename":"QuiltWrapper","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/ActionFeedback-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1737115705000","value":{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"CachedAsset:component:custom.widget.community_banner-en-1740993515177":{"__typename":"CachedAsset","id":"component:custom.widget.community_banner-en-1740993515177","value":{"component":{"id":"custom.widget.community_banner","template":{"id":"community_banner","markupLanguage":"HANDLEBARS","style":".community-banner {\n a.top-bar.btn {\n top: 0px;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0px;\n background: #0068b8;\n color: white;\n padding: 10px 0px;\n display:block;\n box-shadow:none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0px !important;\n font-size:14px;\n }\n}","texts":null,"defaults":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.community_banner","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_community_banner_community-banner_1a5zb_1 {\n a.custom_widget_community_banner_top-bar_1a5zb_2.custom_widget_community_banner_btn_1a5zb_2 {\n top: 0;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0;\n background: #0068b8;\n color: white;\n padding: 0.625rem 0;\n display:block;\n box-shadow:none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0 !important;\n font-size:0.875rem;\n }\n}","tokens":{"community-banner":"custom_widget_community_banner_community-banner_1a5zb_1","top-bar":"custom_widget_community_banner_top-bar_1a5zb_2","btn":"custom_widget_community_banner_btn_1a5zb_2"}},"form":null},"localOverride":false},"CachedAsset:component:custom.widget.HeroBanner-en-1740993515177":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-1740993515177","value":{"component":{"id":"custom.widget.HeroBanner","template":{"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your search term(s) and then press return key to complete a search."},"defaults":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.HeroBanner","form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"__typename":"Component","localOverride":false},"globalCss":null,"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"}},"localOverride":false},"CachedAsset:component:custom.widget.Social_Sharing-en-1740993515177":{"__typename":"CachedAsset","id":"component:custom.widget.Social_Sharing-en-1740993515177","value":{"component":{"id":"custom.widget.Social_Sharing","template":{"id":"Social_Sharing","markupLanguage":"HANDLEBARS","style":".social-share {\n .sharing-options {\n position: relative;\n margin: 0;\n padding: 0;\n line-height: 10px;\n display: flex;\n justify-content: left;\n gap: 5px;\n list-style-type: none;\n li {\n text-align: left;\n a {\n min-width: 30px;\n min-height: 30px;\n display: block;\n padding: 1px;\n .social-share-linkedin {\n img {\n background-color: rgb(0, 119, 181);\n }\n }\n .social-share-facebook {\n img {\n background-color: rgb(59, 89, 152);\n }\n }\n .social-share-x {\n img {\n background-color: rgb(0, 0, 0);\n }\n }\n .social-share-rss {\n img {\n background-color: rgb(0, 0, 0);\n }\n }\n .social-share-reddit {\n img {\n background-color: rgb(255, 69, 0);\n }\n }\n .social-share-email {\n img {\n background-color: rgb(132, 132, 132);\n }\n }\n }\n a {\n img {\n height: 2rem;\n }\n }\n }\n }\n}\n","texts":null,"defaults":{"config":{"applicablePages":[],"description":"Adds buttons to share to various social media websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Social_Sharing","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"Adds buttons to share to various social media websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_Social_Sharing_social-share_c7xxz_1 {\n .custom_widget_Social_Sharing_sharing-options_c7xxz_2 {\n position: relative;\n margin: 0;\n padding: 0;\n line-height: 0.625rem;\n display: flex;\n justify-content: left;\n gap: 0.3125rem;\n list-style-type: none;\n li {\n text-align: left;\n a {\n min-width: 1.875rem;\n min-height: 1.875rem;\n display: block;\n padding: 0.0625rem;\n .custom_widget_Social_Sharing_social-share-linkedin_c7xxz_18 {\n img {\n background-color: rgb(0, 119, 181);\n }\n }\n .custom_widget_Social_Sharing_social-share-facebook_c7xxz_23 {\n img {\n background-color: rgb(59, 89, 152);\n }\n }\n .custom_widget_Social_Sharing_social-share-x_c7xxz_28 {\n img {\n background-color: rgb(0, 0, 0);\n }\n }\n .custom_widget_Social_Sharing_social-share-rss_c7xxz_33 {\n img {\n background-color: rgb(0, 0, 0);\n }\n }\n .custom_widget_Social_Sharing_social-share-reddit_c7xxz_38 {\n img {\n background-color: rgb(255, 69, 0);\n }\n }\n .custom_widget_Social_Sharing_social-share-email_c7xxz_43 {\n img {\n background-color: rgb(132, 132, 132);\n }\n }\n }\n a {\n img {\n height: 2rem;\n }\n }\n }\n }\n}\n","tokens":{"social-share":"custom_widget_Social_Sharing_social-share_c7xxz_1","sharing-options":"custom_widget_Social_Sharing_sharing-options_c7xxz_2","social-share-linkedin":"custom_widget_Social_Sharing_social-share-linkedin_c7xxz_18","social-share-facebook":"custom_widget_Social_Sharing_social-share-facebook_c7xxz_23","social-share-x":"custom_widget_Social_Sharing_social-share-x_c7xxz_28","social-share-rss":"custom_widget_Social_Sharing_social-share-rss_c7xxz_33","social-share-reddit":"custom_widget_Social_Sharing_social-share-reddit_c7xxz_38","social-share-email":"custom_widget_Social_Sharing_social-share-email_c7xxz_43"}},"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Featured_Resources-en-1740993515177":{"__typename":"CachedAsset","id":"component:custom.widget.Featured_Resources-en-1740993515177","value":{"component":{"id":"custom.widget.Featured_Resources","template":{"id":"Featured_Resources","markupLanguage":"REACT","style":null,"texts":{"resourceTitle":"Title","titlePlaceholder":"Resource title","urlPlaceholder":"Resource URL","resourceUrl":"URL","addResource":"Add Resource","cancel":"Cancel","removeResource":"Remove Resource","error":"Error","itemNotSaved":"Item not saved. {message}","errorMessage":"An error occurred. Please try again."},"defaults":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Featured_Resources","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.MicrosoftFooter-en-1740993515177":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-1740993515177","value":{"component":{"id":"custom.widget.MicrosoftFooter","template":{"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\n min-width: 280px;\n font-size: 15px;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.c-uhff-link {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.c-uhff {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.c-uhff-nav {\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n .c-heading-4 {\n color: #616161;\n word-break: break-word;\n font-size: 15px;\n line-height: 20px;\n padding: 36px 0 4px;\n font-weight: 600;\n }\n .c-uhff-nav-row {\n .c-uhff-nav-group {\n display: block;\n float: left;\n min-height: 1px;\n vertical-align: text-top;\n padding: 0 12px;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.c-list.f-bare {\n font-size: 11px;\n line-height: 16px;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 8px 0;\n margin: 0;\n }\n }\n }\n }\n}\n.c-uhff-base {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 30px 5% 16px;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.c-uhff-ccpa {\n font-size: 11px;\n line-height: 16px;\n float: left;\n margin: 3px 0;\n }\n a.c-uhff-ccpa:hover {\n text-decoration: underline;\n }\n ul.c-list {\n font-size: 11px;\n line-height: 16px;\n float: right;\n margin: 3px 0;\n color: #616161;\n li {\n padding: 0 24px 4px 0;\n display: inline-block;\n }\n }\n .c-list.f-bare {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 30px 24px 16px;\n }\n}\n","texts":{"New tab":"What's New","New 1":"Surface Laptop Studio 2","New 2":"Surface Laptop Go 3","New 3":"Surface Pro 9","New 4":"Surface Laptop 5","New 5":"Surface Studio 2+","New 6":"Copilot in Windows","New 7":"Microsoft 365","New 8":"Windows 11 apps","Store tab":"Microsoft Store","Store 1":"Account Profile","Store 2":"Download Center","Store 3":"Microsoft Store Support","Store 4":"Returns","Store 5":"Order tracking","Store 6":"Certified Refurbished","Store 7":"Microsoft Store Promise","Store 8":"Flexible Payments","Education tab":"Education","Edu 1":"Microsoft in education","Edu 2":"Devices for education","Edu 3":"Microsoft Teams for Education","Edu 4":"Microsoft 365 Education","Edu 5":"How to buy for your school","Edu 6":"Educator Training and development","Edu 7":"Deals for students and parents","Edu 8":"Azure for students","Business tab":"Business","Bus 1":"Microsoft Cloud","Bus 2":"Microsoft Security","Bus 3":"Dynamics 365","Bus 4":"Microsoft 365","Bus 5":"Microsoft Power Platform","Bus 6":"Microsoft Teams","Bus 7":"Microsoft Industry","Bus 8":"Small Business","Developer tab":"Developer & IT","Dev 1":"Azure","Dev 2":"Developer Center","Dev 3":"Documentation","Dev 4":"Microsoft Learn","Dev 5":"Microsoft Tech Community","Dev 6":"Azure Marketplace","Dev 7":"AppSource","Dev 8":"Visual Studio","Company tab":"Company","Com 1":"Careers","Com 2":"About Microsoft","Com 3":"Company News","Com 4":"Privacy at Microsoft","Com 5":"Investors","Com 6":"Diversity and inclusion","Com 7":"Accessiblity","Com 8":"Sustainibility"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_MicrosoftFooter_context-uhf_f95yq_1 {\n min-width: 17.5rem;\n font-size: 0.9375rem;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-link_f95yq_12 {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff_f95yq_12 {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.custom_widget_MicrosoftFooter_c-uhff-nav_f95yq_35 {\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n .custom_widget_MicrosoftFooter_c-heading-4_f95yq_49 {\n color: #616161;\n word-break: break-word;\n font-size: 0.9375rem;\n line-height: 1.25rem;\n padding: 2.25rem 0 0.25rem;\n font-weight: 600;\n }\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_f95yq_57 {\n .custom_widget_MicrosoftFooter_c-uhff-nav-group_f95yq_58 {\n display: block;\n float: left;\n min-height: 0.0625rem;\n vertical-align: text-top;\n padding: 0 0.75rem;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.custom_widget_MicrosoftFooter_c-list_f95yq_78.custom_widget_MicrosoftFooter_f-bare_f95yq_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 0.5rem 0;\n margin: 0;\n }\n }\n }\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff-base_f95yq_94 {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 1.875rem 5% 1rem;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_f95yq_107 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: left;\n margin: 0.1875rem 0;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_f95yq_107:hover {\n text-decoration: underline;\n }\n ul.custom_widget_MicrosoftFooter_c-list_f95yq_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: right;\n margin: 0.1875rem 0;\n color: #616161;\n li {\n padding: 0 1.5rem 0.25rem 0;\n display: inline-block;\n }\n }\n .custom_widget_MicrosoftFooter_c-list_f95yq_78.custom_widget_MicrosoftFooter_f-bare_f95yq_78 {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 1.875rem 1.5rem 1rem;\n }\n}\n","tokens":{"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_f95yq_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_f95yq_12","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_f95yq_12","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_f95yq_35","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_f95yq_49","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_f95yq_57","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_f95yq_58","c-list":"custom_widget_MicrosoftFooter_c-list_f95yq_78","f-bare":"custom_widget_MicrosoftFooter_f-bare_f95yq_78","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_f95yq_94","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_f95yq_107"}},"form":null},"localOverride":false},"CachedAsset:text:en_US-components/community/Breadcrumb-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1737115705000","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBanner-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBanner-1737115705000","value":{"messageMarkedAsSpam":"This post has been marked as spam","messageMarkedAsSpam@board:TKB":"This article has been marked as spam","messageMarkedAsSpam@board:BLOG":"This post has been marked as spam","messageMarkedAsSpam@board:FORUM":"This discussion has been marked as spam","messageMarkedAsSpam@board:OCCASION":"This event has been marked as spam","messageMarkedAsSpam@board:IDEA":"This idea has been marked as spam","manageSpam":"Manage Spam","messageMarkedAsAbuse":"This post has been marked as abuse","messageMarkedAsAbuse@board:TKB":"This article has been marked as abuse","messageMarkedAsAbuse@board:BLOG":"This post has been marked as abuse","messageMarkedAsAbuse@board:FORUM":"This discussion has been marked as abuse","messageMarkedAsAbuse@board:OCCASION":"This event has been marked as abuse","messageMarkedAsAbuse@board:IDEA":"This idea has been marked as abuse","preModCommentAuthorText":"This comment will be published as soon as it is approved","preModCommentModeratorText":"This comment is awaiting moderation","messageMarkedAsOther":"This post has been rejected due to other reasons","messageMarkedAsOther@board:TKB":"This article has been rejected due to other reasons","messageMarkedAsOther@board:BLOG":"This post has been rejected due to other reasons","messageMarkedAsOther@board:FORUM":"This discussion has been rejected due to other reasons","messageMarkedAsOther@board:OCCASION":"This event has been rejected due to other reasons","messageMarkedAsOther@board:IDEA":"This idea has been rejected due to other reasons","messageArchived":"This post was archived on {date}","relatedUrl":"View Related Content","relatedContentText":"Showing related content","archivedContentLink":"View Archived Content"},"localOverride":false},"Category:category:Exchange":{"__typename":"Category","id":"category:Exchange","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Planner":{"__typename":"Category","id":"category:Planner","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook":{"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center":{"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector":{"__typename":"Category","id":"category:EducationSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption":{"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure":{"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server":{"__typename":"Category","id":"category:Windows-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:SQL-Server":{"__typename":"Category","id":"category:SQL-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams":{"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector":{"__typename":"Category","id":"category:PublicSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365":{"__typename":"Category","id":"category:microsoft365","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT":{"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences":{"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:SMB":{"__typename":"Category","id":"category:SMB","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk":{"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-endpoint-manager":{"__typename":"Category","id":"category:microsoft-endpoint-manager","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftLearn":{"__typename":"Category","id":"category:MicrosoftLearn","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftLearnBlog":{"__typename":"Blog","id":"board:MicrosoftLearnBlog","blogPolicies":{"__typename":"BlogPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:AI":{"__typename":"Category","id":"category:AI","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics":{"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:StartupsatMicrosoft":{"__typename":"Category","id":"category:StartupsatMicrosoft","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity":{"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows":{"__typename":"Category","id":"category:Windows","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"QueryVariables:TopicReplyList:message:4119284:1":{"__typename":"QueryVariables","id":"TopicReplyList:message:4119284:1","value":{"id":"message:4119284","first":10,"sorts":{"postTime":{"direction":"DESC"}},"repliesFirst":3,"repliesFirstDepthThree":1,"repliesSorts":{"postTime":{"direction":"DESC"}},"useAvatar":true,"useAuthorLogin":true,"useAuthorRank":true,"useBody":true,"useKudosCount":true,"useTimeToRead":false,"useMedia":false,"useReadOnlyIcon":false,"useRepliesCount":true,"useSearchSnippet":false,"useAcceptedSolutionButton":true,"useSolvedBadge":false,"useAttachments":false,"attachmentsFirst":5,"useTags":true,"useNodeAncestors":false,"useUserHoverCard":false,"useNodeHoverCard":false,"useModerationStatus":true,"usePreviewSubjectModal":false,"useMessageStatus":true}},"ROOT_MUTATION":{"__typename":"Mutation"},"CachedAsset:text:en_US-components/community/Navbar-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1737115705000","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","external-1":"Events","s-m-b":"Small and Medium Businesses","windows-server":"Windows Server","education-sector":"Education Sector","driving-adoption":"Driving Adoption","microsoft-learn":"Microsoft Learn","s-q-l-server":"SQL Server","partner-community":"Microsoft Partner Community","microsoft365":"Microsoft 365","external-9":".NET","external-8":"Teams","external-7":"Github","products-services":"Products","external-6":"Power Platform","communities-1":"Topics","external-5":"Microsoft Security","planner":"Planner","external-4":"Microsoft 365","external-3":"Dynamics 365","azure":"Azure","healthcare-and-life-sciences":"Healthcare and Life Sciences","external-2":"Azure","microsoft-mechanics":"Microsoft Mechanics","microsoft-learn-1":"Community","external-10":"Learning Room Directory","microsoft-learn-blog":"Blog","windows":"Windows","i-t-ops-talk":"ITOps Talk","external-link-1":"View All","microsoft-securityand-compliance":"Microsoft Security","public-sector":"Public Sector","community-info-center":"Lounge","external-link-2":"View All","microsoft-teams":"Microsoft Teams","external":"Blogs","microsoft-endpoint-manager":"Microsoft Intune and Configuration Manager","startupsat-microsoft":"Startups at Microsoft","exchange":"Exchange","a-i":"AI and Machine Learning","io-t":"Internet of Things (IoT)","outlook":"Outlook","external-link":"Community Hubs","communities":"Products"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1737115705000","value":{"hamburgerLabel":"Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1737115705000","value":{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1737115705000","value":{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1737115705000","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1737115705000","value":{"place":"Place {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewStandard-1737115705000","value":{"anonymous":"Anonymous","author":"{messageAuthorLogin}","authorBy":"{messageAuthorLogin}","board":"{messageBoardTitle}","replyToUser":" to {parentAuthor}","showMoreReplies":"Show More","replyText":"Reply","repliesText":"Replies","markedAsSolved":"Marked as Solved","movedMessagePlaceholder.BLOG":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.TKB":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.FORUM":"{count, plural, =0 {This reply has been} other {These replies have been} }","movedMessagePlaceholder.IDEA":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.OCCASION":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholderUrlText":"moved.","messageStatus":"Status: ","statusChanged":"Status changed: {previousStatus} to {currentStatus}","statusAdded":"Status added: {status}","statusRemoved":"Status removed: {status}","labelExpand":"expand replies","labelCollapse":"collapse replies","unhelpfulReason.reason1":"Content is outdated","unhelpfulReason.reason2":"Article is missing information","unhelpfulReason.reason3":"Content is for a different Product","unhelpfulReason.reason4":"Doesn't match what I was searching for"},"localOverride":false},"CachedAsset:text:en_US-components/messages/ThreadedReplyList-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/ThreadedReplyList-1737115705000","value":{"title":"{count, plural, one{# Reply} other{# Replies}}","title@board:BLOG":"{count, plural, one{# Comment} other{# Comments}}","title@board:TKB":"{count, plural, one{# Comment} other{# Comments}}","title@board:IDEA":"{count, plural, one{# Comment} other{# Comments}}","title@board:OCCASION":"{count, plural, one{# Comment} other{# Comments}}","noRepliesTitle":"No Replies","noRepliesTitle@board:BLOG":"No Comments","noRepliesTitle@board:TKB":"No Comments","noRepliesTitle@board:IDEA":"No Comments","noRepliesTitle@board:OCCASION":"No Comments","noRepliesDescription":"Be the first to reply","noRepliesDescription@board:BLOG":"Be the first to comment","noRepliesDescription@board:TKB":"Be the first to comment","noRepliesDescription@board:IDEA":"Be the first to comment","noRepliesDescription@board:OCCASION":"Be the first to comment","messageReadOnlyAlert:BLOG":"Comments have been turned off for this post","messageReadOnlyAlert:TKB":"Comments have been turned off for this article","messageReadOnlyAlert:IDEA":"Comments have been turned off for this idea","messageReadOnlyAlert:FORUM":"Replies have been turned off for this discussion","messageReadOnlyAlert:OCCASION":"Comments have been turned off for this event"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyCallToAction-1737115705000","value":{"leaveReply":"Leave a reply...","leaveReply@board:BLOG@message:root":"Leave a comment...","leaveReply@board:TKB@message:root":"Leave a comment...","leaveReply@board:IDEA@message:root":"Leave a comment...","leaveReply@board:OCCASION@message:root":"Leave a comment...","repliesTurnedOff.FORUM":"Replies are turned off for this topic","repliesTurnedOff.BLOG":"Comments are turned off for this topic","repliesTurnedOff.TKB":"Comments are turned off for this topic","repliesTurnedOff.IDEA":"Comments are turned off for this topic","repliesTurnedOff.OCCASION":"Comments are turned off for this topic","infoText":"Stop poking me!"},"localOverride":false},"Rank:rank:35":{"__typename":"Rank","id":"rank:35","position":15,"name":"Iron Contributor","color":"333333","icon":null,"rankStyle":"TEXT"},"User:user:2394710":{"__typename":"User","id":"user:2394710","uid":2394710,"login":"DylanInfosec","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2024-03-30T04:33:36.836-07:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0yMzk0NzEwLTU3MzA0MmkzRjM5Q0ZFQTdFMUZBMTYy"},"rank":{"__ref":"Rank:rank:35"},"entityType":"USER","eventPath":"community:gxcuf89792/user:2394710"},"ModerationData:moderation_data:4119328":{"__typename":"ModerationData","id":"moderation_data:4119328","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"AcceptedSolutionMessage:message:4119328":{"__typename":"AcceptedSolutionMessage","author":{"__ref":"User:user:2394710"},"id":"message:4119328","revisionNum":2,"uid":4119328,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Forum:board:MicrosoftThreatProtection"},"parent":{"__ref":"ForumTopicMessage:message:4119284"},"conversation":{"__ref":"Conversation:conversation:4119284"},"subject":"Re: abnormal Behavior in Users Devices","moderationData":{"__ref":"ModerationData:moderation_data:4119328"},"body":"

Hi ahmedamer ,

have you or someone on the team perhaps turned on the Defender for Endpoint deception features?

 

You can check the setting for Deception by going to your XDR dashboard > Settings > Endpoints > Advanced features and scroll to find the setting for  “Deception” towards the bottom of the features list.

 

if it’s on, you can confirm that the user you’re seeing is apart of the deception identities by scrolling a bit more on the endpoints menu for the “Deception rules” tab under the Rules header. There may just be one Default rule there. Click it and you should see a list of deception identities.

 

see more here: Configure the deception capability in Microsoft Defender XDR 

 

Best,

Dylan

","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"224","kudosSumWeight":1,"repliesCount":0,"postTime":"2024-04-20T11:06:45.731-07:00","lastPublishTime":"2024-04-20T11:20:48.828-07:00","solution":true,"metrics":{"__typename":"MessageMetrics","views":1191},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"isEscalated":null,"entityType":"FORUM_REPLY","eventPath":"category:microsoft-defender-xdr/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftThreatProtection/message:4119284/message:4119328","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":200})@stringLength":"224","images":{"__typename":"AssociatedImageConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments":{"__typename":"AttachmentConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"customFields":[]},"QueryVariables:MessageSolutions":{"__typename":"QueryVariables","id":"MessageSolutions","value":{"first":10,"constraints":{"topicId":{"eq":"message:4119284"},"solution":{"eq":true}},"sorts":{"postTime":{"direction":"ASC"}},"useAvatar":true,"useAuthorLogin":true,"useAuthorRank":false,"useBody":true,"useKudosCount":false,"useTimeToRead":false,"useMedia":true,"useRepliesCount":false,"useSearchSnippet":false,"useAcceptedSolutionButton":true,"useSolvedBadge":false,"useAttachments":true,"useTags":false,"useUserHoverCard":false,"useNodeHoverCard":false,"usePreviewSubjectModal":false,"useMessageStatus":false}},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1737115705000","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1737115705000","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/messages/EscalatedMessageBanner-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/EscalatedMessageBanner-1737115705000","value":{"escalationMessage":"Escalated to Salesforce by {username} on {date}","viewDetails":"View Details","modalTitle":"Case Details","escalatedBy":"Escalated by: ","escalatedOn":"Escalated on: ","caseNumber":"Case Number: ","status":"Status: ","lastUpdateDate":"Last Update: ","automaticEscalation":"automatic escalation","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1737115705000","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1737115705000","value":{"rankName":"{rankName}","userRank":"Author rank {rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1737115705000","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSolvedBadge-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSolvedBadge-1737115705000","value":{"solved":"Solved"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1737115705000","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1737115705000","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1737115705000","value":{"CustomField.default.label":"Value of {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1737115705000","value":{"repliesCount":"{count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message:root":"Comment","title@board:OCCASION@message:root":"Comment"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSolutionList-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSolutionList-1737115705000","value":{"emptyDescription":"No has been message solutions yet"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1737115705000","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1737115705000","value":{"altTitle":"Icon for {rankName} rank"},"localOverride":false},"CachedAsset:text:en_US-components/messages/AcceptedSolutionButton-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/AcceptedSolutionButton-1737115705000","value":{"accept":"Mark as Solution","accepted":"Marked as Solution","errorHeader":"Error!","errorAdd":"There was an error marking as solution.","errorRemove":"There was an error unmarking as solution.","solved":"Solved"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1737115705000":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1737115705000","value":{"tagLabelName":"Tag name {tagName}"},"localOverride":false}}}},"page":"/forums/ForumMessagePage/ForumMessagePage","query":{"boardId":"microsoftthreatprotection","messageSubject":"abnormal-behavior-in-users-devices","messageId":"4119284"},"buildId":"rBSXYkarBGCCgv-Fy0Q8w","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"o365","openTelemetryServiceVersion":"25.1.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/seo/QAPageSchema/QAPageSchema.tsx","./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/customComponent/CustomComponent/CustomComponent.tsx","./components/messages/TopicWithThreadedReplyListWidget/TopicWithThreadedReplyListWidget.tsx","./components/external/components/ExternalComponent.tsx","./components/messages/MessageView/MessageViewStandard/MessageViewStandard.tsx","./components/messages/ThreadedReplyList/ThreadedReplyList.tsx","../shared/client/components/common/List/UnstyledList/UnstyledList.tsx","./components/messages/MessageView/MessageView.tsx","../shared/client/components/common/List/UnwrappedList/UnwrappedList.tsx","./components/tags/TagView/TagView.tsx","./components/tags/TagView/TagViewChip/TagViewChip.tsx"],"appGip":true,"scriptLoader":[{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1729284608000/analytics.js?page.id=ForumMessagePage&entity.id=board%3Amicrosoftthreatprotection&entity.id=message%3A4119284","strategy":"afterInteractive"}]}