Forum Discussion
ambarishrh
Aug 07, 2024Iron Contributor
Batch file with Defender Deception
Hi all,
Last year when Defender Deception was introduced, we enabled the default rule. By July this year, we started noticing some bat.backup files with these deception users in few computers which are in scope of this deception rule. (Mostly C:\users\default or C:\Users\Username\ directory) and file names are usually loginmonitor.bat.backup)
Content of the file sample as below
net user \\devicename\monitor /USER:DECEPTION_USER PASSWORD
ping 8.8.8.8 >> \\devicename\monitor\%HOSTNAEM%.txt
date >> \\devicename\monitor\%HOSTNAEM%.txt
ipconfig /a >> \\devicename\monitor\%HOSTNAEM%.txt
Some devices will have ping 1.1.1.1
Could map those users to deception users created, but wondering what happend in the last month or so that Defender creating these, possibly lure files as mentioned in the setup window (attached)
Anyone else noticed this?
No RepliesBe the first to reply