Aug 07 2024 10:35 AM - edited Aug 07 2024 10:37 AM
Hi all,
Last year when Defender Deception was introduced, we enabled the default rule. By July this year, we started noticing some bat.backup files with these deception users in few computers which are in scope of this deception rule. (Mostly C:\users\default or C:\Users\Username\ directory) and file names are usually loginmonitor.bat.backup)
Content of the file sample as below
net user \\devicename\monitor /USER:DECEPTION_USER PASSWORD
ping 8.8.8.8 >> \\devicename\monitor\%HOSTNAEM%.txt
date >> \\devicename\monitor\%HOSTNAEM%.txt
ipconfig /a >> \\devicename\monitor\%HOSTNAEM%.txt
Some devices will have ping 1.1.1.1
Could map those users to deception users created, but wondering what happend in the last month or so that Defender creating these, possibly lure files as mentioned in the setup window (attached)
Anyone else noticed this?