Batch file with Defender Deception

Iron Contributor

Hi all,

 

Last year when Defender Deception was introduced, we enabled the default rule. By July this year, we started noticing some bat.backup files with these deception users in few computers which are in scope of this deception rule. (Mostly C:\users\default or C:\Users\Username\ directory) and file names are usually loginmonitor.bat.backup)

 

Content of the file sample as below

net user \\devicename\monitor /USER:DECEPTION_USER PASSWORD
ping 8.8.8.8 >> \\devicename\monitor\%HOSTNAEM%.txt
date >> \\devicename\monitor\%HOSTNAEM%.txt
ipconfig /a >> \\devicename\monitor\%HOSTNAEM%.txt

Some devices will have ping 1.1.1.1

Could map those users to deception users created, but wondering what happend in the last month or so that Defender creating these, possibly lure files as mentioned in the setup window (attached)

Anyone else noticed this?

 

 

0 Replies