User Profile
ambarishrh
Iron Contributor
Joined Apr 10, 2017
User Widgets
Recent Discussions
Batch file with Defender Deception
Hi all, Last year when Defender Deception was introduced, we enabled the default rule. By July this year, we started noticing some bat.backup files with these deception users in few computers which are in scope of this deception rule. (Mostly C:\users\default or C:\Users\Username\ directory) and file names are usually loginmonitor.bat.backup) Content of the file sample as below net user \\devicename\monitor /USER:DECEPTION_USER PASSWORD ping http://8.8.8.8/ >> \\devicename\monitor\%HOSTNAEM%.txt date >> \\devicename\monitor\%HOSTNAEM%.txt ipconfig /a >> \\devicename\monitor\%HOSTNAEM%.txt Some devices will have ping http://1.1.1.1/ Could map those users to deception users created, but wondering what happend in the last month or so that Defender creating these, possibly lure files as mentioned in the setup window (attached) Anyone else noticed this?Re: Determine date of last email sent to Distribution List
Did you check the audit log? You can find audit log in SCC: {Link removed by admin} This log also need you to enable audit log, which by default is enable. Link: {Link removed by admin} You can try this cmdlets to check: get-AdminAuditLogConfig | select UnifiedAuditLogIngestionEnabled If it is not enabled, please run this following cmdlets: Enable global logging: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true Enable Auditing for every user: Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"} | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 -AuditAdmin Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create, UpdateFolderPermission -AuditDelegate Update, SoftDelete, HardDelete, SendAs, Create, UpdateFolderPermissions, MoveToDeletedItems, SendOnBehalf -AuditOwner UpdateFolderPermission, MailboxLogin, Create, SoftDelete, HardDelete, Update, MoveToDeletedItemsRe: I HATE this SOFTWARE - how do I get rid of it????
MagicMedia1964 Thank you for sharing your feedback about Microsoft Defender. It sounds like you’re disappointed with your experience. I’m not affiliated with Microsoft, but I’m a fellow user who likes to help the community. Did you manage to look at the Quarantine section on security.microsoft.com to see what is the root cause of these emails being quarantined?Re: Microsoft Defender for Endpoint is a IPS or IDS service?
morterastephanie Microsoft Defender for Endpoint (MDE) is a security solution that provides protection against malware and other advanced threats for devices running Windows, macOS, and Linux. While MDE does not offer traditional IDS or IPS, it does include several features that can help detect and prevent intrusions. Behavioral-based threat detection: MDE uses machine learning and behavioral analysis to detect malicious activity on devices, even if it doesn't match known malware signatures. Network protection: MDE includes a firewall and network protection features that can detect and block malicious network traffic, such as attempts to connect to known command-and-control servers or other malicious IP addresses. Advanced hunting: MDE includes advanced hunting capabilities that allows to search through device and network event data to identify potential intrusions and other security threats. Endpoint detection and response (EDR): MDE includes EDR capabilities that allow security analysts to investigate and respond to security incidents on individual devices. MDE is not designed to replace traditional IDS/IPS solutions but rather to complement them and provide additional layers of protection. Depending on your organization's requirements, you may need to use other security products to ensure that all the necessary intrusion detection and prevention capabilities are covered.Re: Microsoft Defender for Endpoint Management
K_GH2010 If you have a large number of on-premises Windows devices and a robust IT infrastructure, SCCM might be the best option, but if you are looking for a more simplified and streamlined experience, with the ability to manage hybrid devices and don't have a large on-premises infrastructure, MEM would be a better choice.Re: Restricting access to Office 365 if a specific application is not installed
Odenkaz Are you looking at devices that are already enrolled via Intune? If so, you could set up devices to enroll automatically on Microsoft Defender. Even though there are options for Windows to check for Defender protection level, I don't see the same for MAC.
